Security+ Chapter 9: Identifying Threats, Attacks, and Vulnerabilities

Bourne Again Shell (Bash)

(Linux) Used to run commands and run executables and automated tasks

Hoax

(n.) an act intended to trick or deceive, a fraud; (v.) to trick, deceive

For what type of attack would I use the strcpy tool?

*strcpy* can be used for a buffer overflow attack

DoS vs. DDoS

- DoS network attack comes from a single IP address - DDoS network attack emanates from multiple IP addresses

Pharming

A DNS redirection attack where either the DNS cache has been poisoned or an entry is placed in the victim's host files.

Explain a man-in-the-middle attack?

A Man-in-the-Middle (MITM) attack is an on-path attack where a connection between hosts is intercepted and the conversation is changed and then replayed, but the people involved still believe that they are talking directly to each other.

What type of attack is a man-in-the middle attack using an SSL3.0 browser that uses a CBC?

A POODLE attack is an MIM attack using an SL3.0 browser that uses Cipher Block Chaining (CBC)

What is an RAT?

A Remote Access Trojan (RAT) is a Trojan that sends the user's username and password to an external source so that a remote session can be created.

What is a botnet?

A botnet is a group of computers that have been infected so that they can be used to carry out malicious acts without the real attacker being identified. They could be used for a DDoS attack.

What is the fastest password attack that can crack any password?

A brute-force attack is the fastest password attack that will crack any password, as it uses all combinations of characters, letters, and symbols

Hybrid Attack

A combination of a dictionary and brute-force attack

PowerShell

A command-line interactive scripting environment that provides the commands needed for most management tasks in a Windows Server 2012/R2 environment. Can be used for attacks: - Injecting malware directory into memory - Used to run macros - Lateral movement attacks

Refactoring

A driver manipulation method. Developers rewrite the code without changing the driver's behavior.

Shimming

A driver manipulation method. It uses additional code to modify the behavior of a driver. Shim: a small library that transparently intercepts API calls and changes the arguments passed. They can also be used to run programs on different software platforms than they were developed for. Normally used to help 3rd-party software applications work with an operating system.

Describe how a fileless virus operates.

A fileless virus piggybacks itself onto a legitimate application, and they both launch together. Using Malwarebytes would alert you of both launching at the same time.

Pretexting

A form of social engineering in which the attacker makes up a scenario asking for details to confirm someone's identity. This could lead to identify theft.

What is the purpose of a keylogger?

A keylogger is a piece of software that could run from a USB flash drive plugged into the back of a computer, which then records all the keystrokes being used. It can capture sensitive data that is typed in, such as bank account details and passwords.

How does a logic bomb virus work?

A logic bomb virus is triggered by an event; for example, a Fourth of Julyl logic bomb would activate when the date on the computer was July 4. It is triggered by time, scripty, *.bat/.cmd* files, or a task scheduler.

Keylogger

A malicious program that records keystrokes.

Clickjacking

A malicious technique for tricking a web user into clicking on an icon or link, the outcome of which is different from what the user perceives they are clicking on, thereby potentially revealing confidential information or taking control of their computer. An attacker establishes a malicious website that invisibly embeds the Facebook Like or Share button in a transparent iframe. When the victim clicks within the malicious site, the click is directed to the invisible Like or Share button.

What type of attack is a man-in-the-browser attack?

A man-in-the-browser attack is a Trojan that intercepts your session between your browser and the internet; it aims to obtain financial transactions.

Explain a phishing attack

A phishing attack is when a user receives an email asking them to fill in a form requesting their bank details

What is a pivot?

A pivot is where you gain access to a network so that you can launch an attack on a secondary system

Python

A powerful scripting language used by administrators of websites. Is vulnerable to backdoor attacks.

URL Hijacking

A process in which a website is falsely removed from the results of a search engine and re placed by another web page that links to the remote page. Another form of this is Typosqatting

How does a reply attack differ from a man-in-the-middle attack?

A replay attack is similar to a MITM attack, except the intercepted packet is replayed at a later date

What type of virus attacks the *Windows/System32* folder on Windows, or the Bash Shell on Linux?

A rootkit virus attacks the root in the *Windows/System32* folder, or in a Bash shell in Linux. for Windows, you may reinstall the OS, but the virus will still be there

Macros

A series of actions that you want to carry out that are normally used with Word or Excel (use MS Visual Basic for Applications scripting language). Macros are disabled by default in Microsoft Office.

Key Stretching

A technique used to increase the strength of stored passwords. it adds additional bits (called salts) and can help thwart brute force and rainbow table attacks.

What type of virus inserts *.dll* into either the *SysWOW64* or *System32* folder?

A trojan inserts a *.dll* into either the *SysWOW664* or *System32* folder

What type of attack can include leaving voicemail?

A vishing attack an use a telephone or leave a voicemail

What is a watering hole attack?

A watering hole attack infects a trusted website that a certain group of people visits regularly

Cross-Site Request Forgery (XSRF or CSRF)

A web application attack. Its attacks trick users into performing actions on websites, such as making purchases, without their knowledge.

What is a whaling attack?

A whaling attack targets a CEO or a high-level executive in a company

I am trying to use the internet, but my wireless session keeps crashing. What type of attack is this?

A wireless disassociation attack is where the attacker prevents the victim from connecting to the WAP

What type of virus replicates itself and uses either ports 4444 or 5000?

A worm replicates itself and can use either port 4444 or 5000.

What type of exploit has not patches and cannot be detected by NIDS or NIPS?

A zero-day virus has no patches and cannot be detected by NIDS or NIPS, as it may take the anti-virus vendor up to 5 days to release a patch

Salting Passwords

Adding bits to a password before it's hashed so that a rainbow table can't find a matching hash value to decipher the password.

ARP Spoofing

Allows an attacker to intercept data frames on a network, modify traffic, or stop all traffic

What type of attack is a local attack and how can I prevent that attack?

An ARP attack is a local attack that can be prevented by using IPSec

What is the only way to prevent a brute-force attack?

An account locked with a low a value is the only way to prevent a bruit-force attack

Session Hijacking

An attack in which an attacker attempts to impersonate the user by using his session token.

LDAP Injection Attack

An attack that constructs LDAP statements based on user input statements, allowing the attacker to retrieve information from the LDAP database or modify its content.

What type of attack uses the phrase 1=1?

An attack that uses the phrase *1=1* is a SQL injection attack

What type of attack is a multiple SYN flood attack on a well-known website that takes it down?

An attack with multiple SYN flood attacks is a DDoS attack

How does an attacker se a malicious USB drive?

An attacker leaves a malicious USB drive inside a company where it can be found. There is only one shortcut, so when the finder puts it in their computer to try and find the owner, they click on the only visible file and get infected. The attacker can now control their computer.

How close does an attacker need to be for an NFC attack?

An attacker needs to be within 4cm of a card to launch an NFC attack

How does an invoice scam work?

An attacker obtains the details of a legitimate invoice and sends the company reminders that it needs to be paid, but they substitute the bank details with their own.

How does an attacker carry out password spraying?

An attacker works out what standard naming convention a company is using, and they then obtain the names of employees from the internet. They then try common passwords against those accounts.

Collision Attack

An attempt to find two input strings of a hash function that produce the same hash result.

What type of attack is it if I receive an email from my company's CEO, telling me to complete the form attached by clicking on a link in the email?

An email that looks like it has come from your company's CEDO telling you to carry out an action is a social engineering authority attack

One of my bosses asks me to give them information that one of my peers gave me them last week. I am not too sure, but I give them the information. What type of attack is this?

An email that looks like it has come from your company's CEO telling you to carry out an actin is a social engineering authority attack.

What is an evil twin?

An evil twin is a WAP that is made to look like a legitimate WAP

What is crypto-malware?

An example of crypto-malware is ransomware where the victims hard drive is encrypted and held to ransom. It could also have popups.

What is an integer overflow attack?

An integer overflow inserts a number larger than what is allowed

What in an on-path attack?

An on-path attack is an interception attack, for example, a replay or man-in-the-middle attack.

How does artificial intelligence tainting help attackers?

Artificial intelligence uses machine learning to teach the machine to think like a human and detect attacks. So, if it is tainted, it will ignore attacks by the attackers.

If I install a freeware program that analyzes my computer and then finds 40,000 exploits and asks me to purchase the full version, what type of attack is this?

Because you have parted with money, this is a subtle form of ransomware.

Birthday Attack

Birthday paradox: In a random gathering of 23 people, there is a 50% chance that 2 people will have the same birthday. Birthday attack looks for collisions in hashes. If it finds 2 hashes of the same value, the attacker knows that the password is the same

What is bluejacking?

Bluejacking is hijacking someone's Bluetooth phone so that you can take control of it and send text messages

What is bluesnarfing?

Bluesnarfing is when you steal someone's contacts from their Bluetooth phone

Botnet

Bot: A program that infects and takes control of a computer. Botnet: a collection of bots that have been set up for malicious purposes, normally to carry out a DoS attack.

How does an attacker carry out credential harvesting?

Credential harvesting is done by a phishing attack where you are warned that an account has been hacked, and it gives yo a link to a website to resolve it. That way, when you try to log in, they collect your details.

What type of system is susceptible to a birthday attack?

Digital signatures are susceptible to a birthday attack

What is domain hijacking?

Domain hijacking is where someone tries to register your domain, access your hosted control panel, and set u a website that is similar to yours.

What type of attack could involve dressing as a police officer?

Dressing as a police officer would be part of an impersonation attack

How can I prevent a pass-the-hash attack?

Enabling Kerberos or disabling NTLM would prevent a pass-the-hash attack

What type of attack is distributing fake software?

Fake software that will not install is a hoax. An email alert telling you to delete a system file as it is a virus is a hoax.

What type of attack is it if I am in an ATM queue and someone has their phone to one side so that they film the transaction?

If I am using an ATM and someone films the transaction, this is a subtle shoulder surfing attack

What can we do to slow down a brute-force attack?

If an account lockout is not available, the best way to slow down a brute-force attack is to make the password length longer or to salt passwords

What type of attack is it if a fireperson arrives and you let them into the server room to put out a fire?

If you let a fireperson into the server room to put out a fire, that is a social engineering urgency attack.

Name two methods for preventing a reply attack in a Microsoft environment

Input validation and stored procedures can prevent a SQL injection attack. Stored procedures are the best.

How can I prevent a reply attack in a Microsoft environment?

Kerberos authentication uses USN and timestamps and can prevent a replay attack, as the USN packets and the timestamps need to be sequential

Rainbow Tables

Lists of pre-computed passwords with a corresponding hash; speed up the cracking of passwords that have been hashed. Free tables available from the internet.

Why is operational technology vulnerable to attack?

Operational technology is where we have removed CCTV standalone systems that wee air-gapped and we now se a fully integrated solution that is fully connected, leaving them vulnerable to attacks.

How is pretexting used in an attack?

Pretexting is where an attacker manufactures a scenario such as saying that thee is a suspicious activity on your account, and they ask you to confirm your account details. This way, they can steal them.

Digital Signatures

Provide authentication of a sender and integrity of a sender's message. Susceptible to a birthday attack.

What are rainbow tables?

Rainbow tables are pre-computed lists of passwords with the relevant hash in either MD5 or SHA-1

How can I store passwords to prevent a dictionary attack?

Salting passwords inserts a random value and prevents dictionary attacks, as a dictionary does not contain random characters

What type of attack is session hijacking?

Session hijacking is where your cookies are stolen so that someone can pretend to be you

What type of attack would I use shimming or refactoring for?

Shimming and refactoring are used for driver manipulation attacks

What is social engineering?

Social engineering exploits an individual's character in a situation that they are not used to. This is hacking the human, putting them under pressure to make a snap decision.

What is tailgating?

Social engineering tailgating is where someone has used a smart card or entered a pin to access a door, and then someone behind them passes through the door before it closes, entering no credentials.

Driver Manipulation

Sophisticated attackers may dive deep into device drivers to manipulate them so that they undermine the security on your computer. - Shimming - Refactoring

How does spear phishing differ from a fishing attack?

Spear phishing is a phishing attack that has been sent to a group of users

MAC Spoofing Attack

The theft of the MAC address of another networked device, which is hen used to gain access t the network (ex: a wireless access point that uses MAC filtering)

Plantext/Unencrypted

These passwords can be cracked by a brute-force attack

Name two tools that can be used for key stretching

Two tools that can be used for key stretching are *bcrypt* and *PBKDF2*

If I misspell a website but still get there, what type of attack is this?

Typosquatting is where an attacker launches a website with a similar name to a legitimate website in the hope that victims misspell the URL

How can I prevent an attack by a rogue WAP?

Using an 802.1x authentication switch can prevent an attack by a rogue WAP, as the device needs to authenticate itself to attach to the switch

What type of authentication is the most prone to errors?

Using passwords for authentication is more prone to errors as certificates and smart cards don't tend to have many errors

Watering Hole Attack

When an attacker identifies a website that people in a particular industry are likely to visit and then infect it with a virus. This is effective as the people targeted have often been using the website for years and trust its content.

Domain Hijacking

When an attacker tries to change the domain registration of a domain with the internet authorities, so they can control it for profit.

When I go to a restaurant, how can I protect myself against card cloning?

When you go to a restaurant, please ensure that the server does not disappear with your card; make sure it is always visible to you.

Typosquatting (a.k.a., URL hijacking)

Where an attacker creates websites with characters transposed to redirect a user's session to a fraudulent website.

URL Redirection

Where an attacker redirects a user from a legitimate website to a fraudulent website Prevention: keep software up to date, using a web application firewall, or using an automated website scanner that will find vulnerabilities

Bluejacking

Where an attacker takes control of a Bluetooth device (e.g., a phone)

Bluesnarfing

Where an attacker takes control of a Bluetooth device (e.g., a phone) and extracts contact details and any sensitive information.

What type of attack uses HTML tags with JavaScript?

XSS uses HTML tags with JavaScript

Hackers (3 Types)

- Black Hat: Has no information because they are not authorized by the company - Gray Hat: Provided limited information form the company (ex: may be participating in a bug bounty program) - White Hat: Is employed by the company to test applications for flaws and vulnerabilities before its release; has all information they need, including source code

Cloud vs. On-Premises Attacks

- Cloud: uses zero-trust model - On-Premises: physical security (e.g., perimeter fencing, CCTB, guards at gate, etc.)

Physical Attacks

- Malicious USB Cable or Drive - Card Cloning (Skimming) - Supply Chain Attacks - Cloud vs. On-Premises Attacks - Artificial Intelligence

Malicious USB Cable

- Malicious USB Cable: Looks like a Lightning cable but has a Wi-Fi chip built into one of the sockets. These cables act as if they were a mouse and a keyboard. An attacker can use a nearby smartphone to run malicious commands on the device

Types of DDoS Attacks

- Network: Where a botnet is set up to flood a victim's system with an enormous amount of traffic so that it is taken down - Application: Where a DDoS tries to flood a particular application, and a number of packets is known as requests per second (rps). Specifically crafted packets are sent to the application so that it cannot cope with the volume. - OT: When a DDoS targets devices used in video surveillance.

Artificial Intelligence Attacks

- Tainted Training Data for Machine Learning: Machine can be tainted and taught to not detect some forms of attack - Security of Machine Learning Algorithms: Algorithms can analyze malicious patterns in encrypted data to help identify attacks, rather than decrypt data

Elicit Information

A social engineering attack in which the attacker will try to get victim to provide information (ex: using false statements in hope that victim will correct the statement or will use flattery in hopes that victim will boast and provide more information)

Hybrid Warfare

A social engineering attack normally carried out by state actors to influence the balance of power in a country by using military, political, economic, or civil means, and conceivably running a campaign to spread disinformation.

Cross-Site Scripting (XSS)

An attack that injects scripts into a Web application server to direct attacks at clients.

Credential Harvesting

An attack that is normally done using a phising attack, where it states that some details on your account are incorrect and it gives you a hyperlink to resolve the situation. When you click on the link, it gives you a fake web page to log into.

Whaling

An attack that targets either a Chief Executive Officer (CEO) or a high-level executive.

Distributed Denial of Service (DDoS)

An attack that uses many computers to perform a DoS attack.

Urgency

An attack when attacker demands access quickly (ex: "fireman" demanding access to server room before building burns down)

Card Cloning/Skimming

Duplicating a smart card by reading (skimming) the confidential data stored on it. Also known as skimming.

Impersonation

an act of pretending to be another person for the purpose of entertainment or fraud

Address Resolution Protocol (ARP) Poisoning

an attack that convinces the network that the attacker's MAC address is the one associated with an allowed address so that traffic is wrongly sent to the attacker's machine Prevention: use *arp -s* to insert entries into the ARP cache

SQL Injection Attack

inserting a malicious SQL query in input such that it is passed to and executed by an application program

XML Injection

An attack that injects XML tags and data into a database.

Amplification Attacks

A DNS amplification is a DDoS attack in which the attacker exploits vulnerabilities in DNS servers to turn initially small queries into much larger payloads, which are used to bring down the victim's servers. (ex: smurf attack, where a directed IP broadcast is sent to a border router with the victim getting the resultant replies.)

Competitor

A competitor is threat actor who will try to steal trade secrets or sabotage production systems to gain a competitive edge in the marketplace.

Integer Overflow

A condition that occurs when a very large integer exceeds its storage capacity.

Supply Chain Attacks

A cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.

Padding Oracle on Downgraded Legacy Encryption (POODLE)

A man-in-the-middle attack that exploits the use of SSL 3.0 on legacy systems. (A MITM downgrade attack using SSL 3.0 in Chain Block Cipher--CBC--mode)

Replay Attack

A man-in-the-middle attack that intercepts data but replays it at a later date. Prevention: Kerberos (uses updated sequence numbers and timestamps)

Threat Actor

A person or element that has the power to carry out a threat.

Spear Phishing

A phishing attack that targets a group of people

SMiShing

A phishing attack that uses SMS text messages (ex: attack asking reader to visit a website or call a phone number that turns out to be a premium rate call)

Vishing

A phishing attack that uses a telephone call instead of using e-mail. Goal: extort money

Backdoor

A piece of software or a computer system that is created by program developers in case someone locks themselves out of the program; they are generally undocumented. Attackers use these to gain access to systems.

Rootkit

A program that could install itself in the system BIOS, and no matter how many times the operating system is reinstalled, it keeps coming back. A Linux rootkit uses he Bash shell to launch itself.

Virus

A program that embeds itself in another program and can be executed in many different ways (ex: by clicking a link in a web page or by opening an email attachment)

Worm

A program that replicates itself to spread to other computers exploiting security weaknesses. Common ports for worms are 1098, 4444, and those in the 5000 range.

Remote Access Trojan (RAT)

A program that sends login details to the attacker to enable them to take full control of the computer.

Spam over Instant Messaging (SPIM)/SMiShing

A social engineering attack in which the attacker sends spam messages via instant messaging or SMS.

Influence Campaigns

A social engineering attack to influence people from countries all over the world. - social media (ex: Facebook, Twitter) - Hybrid warfare (e.g.,: carried out by state actors to influence the balance of power in a country by using military, political, economic, or civil means, and conceivably running a campaign to spread disinformation.)

Invoice Scams

A social engineering attack where criminals obtain details of genuine invoices and they submit them for payment but change the blank details (ex: finance teams often look at purchase orders and invoice details as well as the product, but they might not look at the bank details of the person being paid)

Buffer Overflow

A technique for crashing by sending too much data to the buffer in a computer's memory

Dynamic Link Library (DLL) Injection

A technique used for running code within the address space of another process by forcing it to load a DLL. This makes the application run differently from how it was designed to do. (ex: install a malware DLL in another process)

Insider Threat

A threat actor that is an employee of the targeted company. This is the most difficult form of threat actor to protect a company from.

Script Kiddie

A threat actor who does not have high technical knowledge and uses script and code that they find to make an attack against a company. Motivation: want to be seen as a famous hacker and gain notoriety.

Crypto-Malware

A type of ransomware that encrypts data, and it tries to stay in your system for as long as possible without being detected. Once enough data has been encrypted, an ultimatum is given to pay a ransom or the decryption key will be deleted by a certain date.

Logic Bomb

A virus that is triggered by either an action or at a specific date; for example, the Fourth of July or Christmas Day. This could be based on time, running a *.bat/cmd* file, a script, or using a task scheduler.

Polymorphic Virus

A virus that mutates as it spreads so that it is difficult to detect. The hash value changes as it mutates and it may case a program error if not found.

Fileless Virus

A virus that runs in memory and is very hard to identify as it piggybacks itself onto other programs, phishing attacks, or applications, such as Word. Prevention: McAfee Behavior Analysis detects programs that execute at the same time as the legitimate software.

Pass-the-Hash Attack

An exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.

Hactivist

An external threat actor who defaces a website or breaks into a computer or network. They are politically motivated and seek social change.

Advanced Persistent Threat (APT)

An external threat that tries to steal data from a network, but they are there for a long period of time. They are very sophisticated and could be funded by a foreign government.

Adware

An unwanted program that keeps popping up with unwanted advertisements. Prevention: Enable a pop-up blocker

State Actor

Another country that poses a threat to a country. Motivation is to undermine a nation.

Malicious USB Drive

Attacker leaves a malicious USB drive where an employee might find it. If it is found and inserted into a computer, malicious code will run and give the attacker control of the computer.

Phishing

Attacks carried out by emailing someone, requesting that they need to complete the attached form (ex: there is a problem with their bank account)

Familiarity and Trust

In preparation for social engineering attacks, hackers make themselves familiar to their victims to built trust so that the victim doesn't question the hacker's actions

Salting (Key Stretching)

Inserting random characters in a password. This will prevent a dictionary attack, but not a brute force attack.

Ransomware

Involves the attacker encrypting the files on a user's computer and then displaying a link asking for money to release the files. (If you have to part with money, it is ransomware.)

Trojan

Malware embedded in programs that you download. They try to exploit system32.exe and then run a DLL file to attack the operating system kernel. This is the management part of the operating system. The Trojan will try to find password information and set up an SMTP engine that uses a random port to send those details to the attacker.

Command and Control Malware

Malware that takes over the complete computer and can then be used to steal data, reboot, or shut down the computer or perform a Distributed Denial-of-Service (DDoS) attack on your network. It can be launched via a phishing attack or downloaded malware.

Reconnaissance

Passive Reconnaissance: Where an attacker researches the victim's company and collects information that will be used at a later stage Active reconnaissance: Where the attacker interacts with the user or their desktop (ex: if someone has victim's username and ties o reset the password, that would be active reconnaissance if they go to your run command or alter victim's registry)

Consensus (a.k.a. social proof)

When an attacker uses the need of people to be accepted by their peers and co-workers to their advantage to get information from the victim

Potentially Unwanted Programs (PUPs)

Programs that are downloaded with other programs and they tend to use resources and slow your computer down. Once it is activated, it replicates itself, going from host to host. A lot of viruses use port 1900. Prevention: Install Malwarebytes (alerts user when PUPs installed)

Account Lockout

Refers to the number of incorrect logon attempts permitted before a system locks an account. Each bad logon attempt is tracked by the bad logon counter, and when the counter exceeds the account lockout threshold, no further logon attempts are permitted.

Authority

When an email is sent out, appearing to be someone in authority, ordering the victim to complete a form that can be accessed by a link.

ARP Broadcasting

Sends unsolicited ARP replies to the victim

Piggybacking

Similar to tailgating, except they have permission from an employee. (ex: pretend to be a hospital porter so that an employee allows them access)

Improper Error Handling

Software that does not properly trap an error condition and provides an attacker with underlying access to the system.

IP Spoofing

The modification of an Internet Protocol (IP) packet using a fake IP address to mask the identity of the sender. This prevents the attacker from being traced when they carry out a malicious attack.

Criminal Syndicates

Threat actors that target companies mainly to steal money. The either want to blackmail a company into paying a ransom for the return of data, or they threaten to make that information public by publishing it on the internet or selling it to a competitor.

Password Attack - Dictionary Attack

Use all the words in the dictionary to crack a password

MAC Cloning/Spoofing

Used when you want to pretend to be a different device, so you can connect to a network device or bypass the security on a captive portal.

Password attack - Brute Force

Uses combination of letters and characters to crack a password. Length of password will slow down the attack, but it will eventually be cracked. - Online mode: Attacker must use the same login interface as the user's application - Offline mode: Attacker steals the password file first, and then tries to crack each user's password offline. They cannot be detected and so have unlimited attempts at cracking the password.

Spraying Attack

Using most common passwords one at a time against a list of users in the hope that one matches

Denial of Service (DoS) Attack

When a victim's machine or network is flooded with a high volume of requests from another host so that it is not available for any other hosts to use. Common method: *SYN* flood attack, where the first two parts of the three-way handshake occur, and the victim holds a session waiting for an *ACK* that never comes.

Intimidation

When an attacker pretends to be someone in authority (ex: a policeman), then threatens the victim, telling them that they will be in trouble if they don't do as they are told. This is effective because victims believe that they have no other choice but to do as they are asked.

Session Replay Attacks

When an attacker steals a cookie that contains session information or they use a protocol analyzer and capture the session ID form the http packets.

Scarcity

When an attacker tries to panic the victim into making a snap decision (ex: When a hotel website advertises "1 room left", but there are more than one room left)

Zero-Day Attack

When an exploit is found but, at that time, there is no solution to prevent it. The only way to prevent it it when you have previously taken a baseline of your computer, and then you can check the changes since the baseline; this will identify a zero-day exploit. Cannot be traced or discovered by any security device, as it may take up to 5 days before a patch or update is released. It can be detected by comparing baselines.

Shoulder Surfing

When perpetrators look over a person's shoulders in a public place to get information such as ATM PIN numbers or user IDs and passwords

Tailgating

When someone opens a door using their ID badge and then someone follows them in before the door closes Prevention: Use mantrap

Dumpster Diving

When someone removes the trash from a victim's trash can in the hopes of finding a letter that holds PII that can be used later to commit fraud.

Identity Theft

When someone steals the Personally Identifiable Information (PII) of victim to commit fraud or take control of victim's accounts. Pretexting and phishing are methods of collecting information to be used for identity theft.

Man-in-the-Browser (MITB) Attack

Where a malicious plugin or script has been downloaded and the browser has been compromised. It acts like a trojan.

Resource Exhaustion

Where an attack on an application consumes all of the available memory and CPU cores. It could also be where all of the IP addresses have been allocated on an DHCP server.

MAC Flooding

Where an attacker floods a switch with Ethernet packets so that it consumes the limited memory that a switch has. Prevention: Use and 802.1x-managed switch with an AAA server.

Pivoting

Where an attacker gains access to the network via a vulnerable host. It then attacks a critical server, such as a domain controller or a database server. (Virtual world: VM Escape)

Man-in-the-Middle (MITM) Attack

Where an attacker intercepts traffic going between two hosts and then changes the information between the two hosts.

Privilege Escalation

Where an attacker wants to grant themselves more permissions than they are entitled to. With a higher level of privilege, they will be able to run unauthorized code or make changes to the IT infrastructure. They may try to use someone else's account to access the Active Directory and allocate themselves a higher level of privilege.

Shadow IT

Where people bug their own computers and devices into a network without consent. These devices may not be patched over a period of time and become vulnerable. This may result in a threat actor gaining access to your network via this system and this may lead to pivoting.

SSL Striping.

Where the attackers carry out an SL downgrade attack, where they manage to bypass the certificate-based protection and turn the session into an HTTP attack. This is where they can now capture data such as credit card numbers.

Input Validation

the process of inspecting data given to a program by the user and determining if it is valid