Threats, Attacks, and Vulnerabilities
Intrusive vs Non-intrusive (vulnerability scanning)
-Most scanners allow ability to choose between intrusive and non-intrusive or dangerous and safe modes -Scans running in non-intrusive or safe mode will not perform tests that could disrupt system operation -does not provide accurate picture of security because it fails to show you if attacks would be successful -can balance this by running tests against production systems in safe mode but then clone those systems running in dangerous mode scans against the images -penetration testing:intrusive vs vulnerability testing:non-intrusive
Passively Testing Security Controls (vulnerability scanning)
-important to remember scanner passively identifies weaknesses and does not perform exploitation
Identifying Vulnerabilities and Misconfigurations
-vulnerability scanners utilize a database or dictionary of known vulnerabilities and test systems against the database -detect misconfigurations: open ports, weak passwords, default accounts and passwords, sensitive data, and security and configuration errors
Social Engineering Principles [reasons for effectiveness]
Authority: people have grown up to respect authority and are more likely to comply when a person of authority says to do so -ex: impersonation, whaling, vishing Intimidation: may be through bullying tactics, and Consensus: ex fake testimonials for a product on a malicious site Scarcity Urgency Familiarity: shoulder surfing, tailgating Trust **Many of the reasons that social engineers are effective are because they use psychology-based techniques to overcome users; objections. Scarcity and urgency are two techniques that encourage immediate action.**
Open-source intelligence
a method of gathering data using public sources, such as social media sites and news outlets
Initial Exploitation
after scanning the target, testers discover vulnerabilities. They then take it a step further and look for a vulnerability that they can exploit
Injection attack
an attack that injects code or commands
Address Resolution Protocol (ARP) poisoning
an attack that misleads computers or switches about the actual MAC address of a system -can help launch MiTM or DoS
Disassociation attacks
attack that removes wireless clients from wireless network
Jamming attack
attacker brings powerful transmitter into vicinity of wireless network and broadcasts strong signal that overpowers legitimate wireless access points
Man-in-the-Browser (MiTB)
attacker compromises user's web browser or browser plug-in to gain access to web communications -type of proxy Trojan horse
Typo squatting aka URL hijacking
attacker creates URL similar to real site and copies look of legitimate website to trick users into entering login credentials which are then sent to the attacker. The attack that depends upon people making simple typing mistakes -various reasons for initiating include: hosting a malicious web site, earning revenue, and reselling the domain
Pass the hash
attacker discovers the hash of the user's password and then uses it to log on to the system as the user -any authentication protocol that communicates over the network in an unencrypted format is susceptible to this attack -recommended to use NTLMv2 or Kerberos
Cross-site scripting (XSS)
attacker embeds malicious code in a 3rd party website that then runs within the web browser of other visitors to that site. This happens when the website allows users to enter input that is displayed to other users -mitigate with input validation at the server and use of security encoding library
Dumpster diving
attacker goes through physical trash in search of sensitive documents -should shred or burn papers instead of throwing them away
White box test
attacker has full knowledge of network environment
Black box test
attacker has no prior knowledge of enterprise IT environment and seeks to gain that knowledge as they move through attack and discovery phases
Gray box test
attacker has some knowledge of system
Birthday attack
attacker is able to create a password that produces the same hash as the user's actual password -aka collision -thwarted by increasing the number of bits used in the hash to increase the number of possible hashes
Shoulder surfing
attacker looks over shoulder of victim as they do something sensitive on their computer -can also be remotely using a camera -can be mitigated by using screen filters
Impersonation
attacker pretends to be another person with the goal to convince an authorized user to provide some information, or help the attacker defeat a security control -mitigated through identity verification methods
Man-in-the-Middle (MiTM)
attacker tricks the sending system during initial communication causing the user to connect directly to the attacker. The attacker connects to the legitimate server and the user authenticates to the fake server from the attacker which lets the attacker view all communications between the client and server. The user is unaware of this intercept.
Downgrade attacks
attacker uses MitM exploit to force 2 other systems that communicate to each other to switch to a weak implementation of a cryptographic algorithm that the attacker can eavesdrop on and then crack
Near Field Communication (NFC) attack
attacker uses ____ reader to capture data from another ____ device
Known-plaintext attack
attacker uses knowledge of encrypted and unencrypted versions of a message to try and crack the decryption key for other messages
Clickjacking
attacker uses specialized HTML content to hide elements of a webpage behind other page elements
Domain hijacking
attackers attempt to steal legitimate domain or change domain name without permission of the legitimate owner
Command injection attack
attackers can inject OS commands into an application using web page forms or text boxes -any web page that accepts input from users is at risk -ex: Directory traversal attack
Brute force attack
attackers guess all possible password combinations. Only effective against short non-complex passwords -mitigate by implementing account lockout policies and using PBKDF2 -Online attacks- guess the password of an online system -Offline attacks- guess the password stored within a file, such as a database
Persistence
attackers often use various threats that allow them to stay within a network for weeks, months, or years without being detected -Common technique is creating backdoors
Keylogger
attempts to capture a user's keystrokes -keystrokes are stored in a file and are either sent to an attacker automatically or the attacker may manually retrieve the file -typically software but can also be hardware
Sniffing or Eavesdropping
because RFID transmits data over the air, it's possible for an attacker to collect data by listening. A key requirement is to know the frequency used by the RFID system and have a receiver that can be tuned to that frequency. Attacker also need to know the protocols used by the RFID system to interpret the data Replay- successful eavesdropping attacks allow the attacker to perform a replay attack DoS- if an attacker knows the frequency used by the RFID system, it's possible to launch a jamming or interference attack, flooding the frequency with noise
Ransomware
blocks a user's legitimate use of a computer or data until a ransom is paid
Improper error handling
can often give attackers information about an application -when an application doesn't catch an error, it often provides debugging information that attackers can use against the application -in the worst-case scenario, they can cause the OS to crash
Denial of Service (DoS)
category of attack that disrupts the normal use of computing resources; makes a system or resource unavailable to legitimate users. An attacker sends thousands to millions of requests to a server, overwhelming it, making it unable to answer legitimate user requests
Media Access Control (MAC) spoofing
change the name of the MAC through administrative access
Internet Protocol (IP) spoofing
change the system's IP address through administrative access
Botnets
collection of "zombie" computers used for malicious purposes
Passive reconnaissance
collects information about a targeted system, network, or organization using open-source intelligence
Embedded system (smart devices)
components of the Internet of Things (IoT) stacked into larger systems -contain a wealth of information that may be valuable in a forensic investigation -ex: GPS units, security monitoring system, thermostats, lights, Alexa, Google Home -in many cases, they connect to a cloud service that provides data storage and added functionality
Weak implementations
cryptographic algorithms with design flaws or small keys -ex: WEP (design flaw), DES (56-bit keys)
Domain Name Service (DNS) poisoning
disrupt normal operation of DNS by providing false results, DNS cache is modified with bogus IP address
Penetration testing
executing an attack on a system to best understand its vulnerabilities. The goal of this is to test security controls by attempting to bypass or defeat them. It is considered successful if "attackers" infiltrate target system. It alternates between the attack and discovery phases: Attack- seek to gain access to target system, escalate access to advanced privileges, and then browse through network looking for new systems they can access from that vantage point Discovery- conduct reconnaissance and think of possible exploitable avenues -starts with passive reconnaissance then tries to exploit vulnerabilities by simulating or performing an attack
Tailgating
follow someone into secure area without swiping badge to gain access because they don't have one -mitigated through mantrap- turnstile
Misconfiguration/Weak configuration (secure systems)
follow the below steps to mitigate these: implement hardening practices to help eliminate vulnerabilities from default configurations, misconfigurations, and weak configurations -implement least functionality -uninstall unneeded software and disable unnecessary accounts -avoid backdoors -change default account and password names
Bluesnarfing
force pairing between victim device and attacker's and use pairing to pull down contacts and other information from device **Ensure Bluetooth devices cannot be paired without manual user intervention to prevent Bluetooth attacks.**
Evil twin attack
hacker sets up fake access point with the SSID of a legitimate network to lure unsuspecting users who will automatically connect to it when they are in the fake access point's vicinity
Nation-state
highly skilled and well-funded individuals sponsored by a country government
Insider threat
individual within the organization who likely has administrative or executive privileges who is triggered to attack internal organization due to stressful event (mental, disciplinary, or disgruntled)
Hacktivist
individuals seeking to use their hacking skills to advance a political or social agenda
Script kiddies
lone individuals who hack to see if they can break into systems
Shim
malicious driver. User receives request from operating system and passes user onto legitimate driver so device functions normally. Driver can also carry malicious payload in background
Trojan horse
malware disguises as legitimate software which when run by a user also has a hidden malicious payload that performs unwanted action behind the scenes
Spyware
malware that gathers information without the user's consent or knowledge
Adware
malware that has specific purpose of displaying advertisements to generate revenue for the malware author
Logic bomb
malware that's set to execute a payload when certain conditions are met
Hoax
message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn't exist -can be convinced to perform an action that results in loss of data or capabilities
Competitors
motivation is to gain proprietary information about another company -various methods including open source research, illegal activity, dumpster diving, and hiring employees to provide information about their previous employer
Vulnerability scanners
obtain details of services using ports and check ports for known vulnerabilities. This has a database of all known vulnerability exploits and test the server to see if it contains vulnerabilities -identify which systems are susceptible to attacks
Backdoor
occurs when a programmer provides a means to grant themselves or others future access to a system
Race condition
occurs when proper functioning of a security control depends upon timing of activities performed by the computer or user -when two or more modules of an application, or two or more applications, attempt to access a resource at the same time -most developers include methods to avoid them when writing code -online tickets sites can lock the selection before offering it to a customer or double-check for conflict later in the process -most database applications have internal concurrency control processes to prevent two entities from modifying a value at the same time
Collision
occurs when the hashing algorithm creates the same hash from different passwords
Improper input handling (or the lack of input validation)
one of the most common security issues on web-based applications -It allows many different types of attacks, such as buffer overflow, SQL injection, command injection, and XSS
Dictionary attack
operate under assumption people use words as passwords and try all words in the English language first -mitigate by using complex passwords
Spear phishing
phishing attacks personalized to a specific person, group, or organization -digital signatures reduce success of this
Rainbow table attack
pre-computing common password hashes and saving a computational step during attack -salt passwords or implement PBKDF2 to mitigate
Refactoring
process of rewriting the internal processing of the code, without changing its external behavior -usually done to correct problems related to software design
Pivot
process of using an exploited system to target other systems
Initialization vector (IV)
provides a starting value for a cryptographic algorithm; it is a fixed-size random or pseudo-random number that helps create random encryption keys -ideally, it should be large enough so algorithm doesn't reuse same number and re-create same encryption keys -used in encryption ciphers, WEP, and older SSL implementations
Crypto-malware
ransomware that encrypts all data on computer except the OS and holds it for ransom -uses public-key cryptography - no way to decrypt data without obtaining key from the attackers -make sure to keep OS and systems up to date; update antivirus signatures; and keep backups offline
Non-credentialed scan
scan without using user credentials -attackers typically run this - will try to obtain credentials and if successful would run a credentialed scan -administrators will run these scans to view what an attacker would see
Identifying Lack of Security Controls (vulnerability scanning)
scanners can identify missing security controls such as up-to-date patches or lack of antivirus software
Bots
software robots
Rootkits
software techniques designed to hide other software on a system -have system-level or kernel access and can modify system files and system access -use hooking techniques to hide detection -tools that inspect RAM can uncover hidden processes
Remote access Trojan (RAT)
specific type of Trojan horse which provides hackers the ability to remotely access and control infected systems
Virus
spreads from system to system based upon some type of user action
Worm
spreads from system to system without user action
Session hijacking
stealing or predicting valid user credentials to gain unauthorized access to web server -takes advantage of session IDs stored in cookies
Privilege Escalation
the process of gaining elevated rights and permissions
Wi-Fi Protected Setup (WPS) attack
tool that tries different PINs until it's successful. Once the PIN is known, it can then discover the passphrase in WPA and WPA2 wireless networks
Phishing
trick users into revealing passwords to sensitive accounts
Cross-site request forgery (CSRF/XSRF)
tricks users into performing actions on websites, such as making purchases, without their knowledge -mitigate through dual authentication, force users to manually enter credentials prior to performing certain actions, expire cookie after short period of time, and use of tokens
Amplification attack
type of DDoS attack that significantly increases the amount of traffic sent to, or requested from, a victim -can be used against a wide variety of systems, including individual hosts, DNS servers, and NTP servers
Whaling
type of spear phishing focused exclusively to senior executives in an organization
Distributed Denial of Service (DDoS)
use of botnets to overwhelm target
Watering hole attack
use of sneaky techniques to lure unsuspecting users and infect their systems with malware
Structured Query Language (SQL) injection
use of web applications as a mechanism to illegitimately access database servers that support web applications and retrieve sensitive information or make unauthorized modifications to the database -many attackers use the phrase ' or'1'='1' - to trick the database server into providing information -mitigated through proper error handling, input validation, use of stored procedures with dynamic web pages
Organized crime group
use technical skills for monetary gain via ransomware and extortion attacks. Can also be motivated by corporate espionage.
Shimming
uses additional code to modify the behavior of a driver
Replay attack
uses previously captured data to create a separate connection to the server that is authenticated, but does not involve the real end user. The attacker only has encoded version of credentials -WPA using TKIP is vulnerable, newer encryption methods are not
Active reconnaissance
using tools to send data to systems and analyzing the responses -After scanning a target and uncovering vulnerabilities, the testers look for a vulnerability that can be exploited
End-of-life
vendor no longer supports product at all and will not release any updates -ensure no valuable data is on them before disposal
Lack of vendor support
vendors sometimes fail to provide adequate support for their products (understaffed or not committed) -when a vendor stops supporting a product, any new vulnerabilities will not be patched
Vishing
voice phishing attacks. Hackers call unsuspecting people using social engineering tactics to trick them into revealing sensitive information
Credentialed scans
vulnerability scan that has full details of system configurations -scan using account information -scan is often run with administrator privileges to check security issues at a deeper level -results are more accurate because scan has easier access to internal workings of system
Zero-day vulnerability
weakness or bug that is unknown to trusted sources, such as OS and antivirus vendors -exploits an undocumented vulnerability -until vendor releases a patch, it remains this -in most cases, these are new threats
Bluejacking
when attackers use bluetooth technology to send spam messages directly to a device. Attackers goal is to convince user to visit website or perform action that will lead to a more advanced attack **Ensure Bluetooth devices cannot be paired without manual user intervention to prevent Bluetooth attacks.**
False positive error
when scanner detects vulnerability that doesn't actually exist
Rogue access point (rogue AP)
when someone connects to an unauthorized wireless access point to an enterprise network -placed within a network without official authorization -acts as a sniffer to capture traffic passing through the wired network device and then broadcasts the traffic using the wireless capability of it -attacker can capture exfiltrated data -can use it to also connect into the wired network -if discovered, immediately unplug Ethernet cable to stop it from capturing network traffic
Buffer overflow
when user input exceeds space within buffer, user content can overflow from area reserved for input into an area for other purposes and unexpected results may occur -often include no operation (NOP) instructions (such as x90) followed by malicious code -input validation helps to prevent this type of attack