CompTIA Security+ SY0-701 - Domain 2.0 Study Guide

hardware provider

- Can you trust your new server/router/switch/firewall/software - Use a small supplier base - Strict controls over policy and procedures - Security should be part of the overall design

memory contains running process

- DLLs ( Dynamic Link library) - Threads - Buffers - memory management function - And much more

Unsecure networks

- Ease of access for attackers - View all (non-encrypted) data Wireless - Outdated security protocols (WEP, WPA, WPA2) - Open or rouge wireless network Wired - Unsecure interfaces - No 802.1X Bluetooth - Reconnaissance - Implementation vulnerabilities

misinformation process

- Fake users created - Create content - Post on Social media - Amplify message - Real users share the message - Mass media picks up the story

Unsecured admin accounts

- Linux root account - Windows administrator Can be a misconfiguration Disable direct login to the root account - Use the su or sudo option Protect accounts with root or administrator access

DLL injection

An attack that injects a Dynamic Link Library (DLL) into memory and runs it. Attackers rewrite DLL, inserting malicious code

phishing attack

An attack that uses deception to fraudulently acquire sensitive personal information by masquerading as an official-looking e-mail.

Aaron Guzman June 2017

Discovered XSS on Subaru site where token never expired and he could log back in without credentials

Automatic update

Feature that regularly provides new features or corrections to the program - ensure update comes directly from developer

buffer overflow attack

Inputting so much data that the input buffer overflows. The overflow contains code that takes control of the computer.

Web application attacks

-Log4j and Spring cloud function - Easy to explout, rewards are extensive

Operating System (OS)

Software used to control the computer and its peripheral equipment. Remarkably complex - Millions or lines of code - More code means more opportunity for security issues Vulnerability exist - just haven't been founded yet

Supply Chain Vector

Threat vector that arises when a vendor fails to continue to support a relied upon system, or fails to provide adequate security for outsourced code development or data storage; strong vendor mgmt practices can identify these issues quickly

Default setting in weak configurations

credentials unchanged

call tampering

disrupting voice calls

HTML Injection

effectively an XSS event, but instead of using JavaScript or other code, it plants custom HTML statements.

code injection attack

input includes code that is then executed by the attacked system

Memory Injection

- Add code into memory of existing process - Get access to the data by escilating privelages

Software update best practices

- Always have a known-good backup - Install from a trusted source - Backup files prior incase update fails

Protecting against XSS

- Be careful when clicking untrusted links - Consider disabling JavaScript, or control with an extension - Keep your browser and applications updated - Keep your web server applications updated

code injection attack types

- HTML - SQL - XML - LDAP

Malware is hidden

- Runs its own process - Injects itself into a legitimete process

Knock-off hardware

- Sold as authentic products - Until they start breaking or having issues

DHS arrests reseller CEO - July 2022

- Sold more than 41 billion of counterfeit Cisco products - Created over 30 different companies - had been selling this since 2013

programming conundrum

- Sometimes, things happen at the same time - This can be bad if you've not planned for it

Out of bounds write

- Write to unauthorized memory areas - Data corruption, crashing, or code execution

Authentication bypass

Access restricted content without authentication. Lack of authentication verification. Gaining privilege escalation.

Best practices for OS vulnerability

Always update - Monthly or on-demand updates - usually a race between user and attacker May require testing before deployment - A patch might break something else May require a boot - Save all data Have a fallback plan

Cross-Site Scripting (XSS)

An attack that injects scripts into a Web application server to direct attacks at clients. - takes advantage of the trust users has for sitr - Complex and varied Carried out using javascript

Sideloading

Downloading an app from an unofficial third-party website.

When downloading and installing updates

Install updates from a downloaded file - Always consider your actions - Every installation could potentially be malicious Confirm the source - A random pop-up during a web browsing may not be legitimate Visit the developer's site directly - Don't trust random update button or ransom downloaded file Many operating systems will allow only singed apps - Don't disable your security controls

Attributes of Threat Actors

Internal/external - The attackers is inside the house - They're outside and trying to get inside Level of Sophistication - Blindly runs scripts/ automated vulnerability scans - Can write their own attack malware and scripts Resources/Funding, - No money - Extensive funding Intent/Motivation - Data exfilteration - Espoinage - service disruption - Blackmail etc

Virtualization security

Quite different than non-virtual machines - Can appear anywhere Quantity of resources vary between VMs - CPU, memory, storage Similarities to physical machines - Complexity adds opportunity for attackers Virtualization vulnerabilities - Local privilege escilation - Command injection - Information disclosure

Unskilled Attackers

Runs pre made skills with no knowledge - Motivated by the hunt - Usually internal/ external - Not sophisticated - Financially limited

Denial of Service (DoS)

Security problem in which users are not able to access an information system; can be caused by human errors, natural disaster, or malicious activity.

Smishing and Vishing

Smishing is a variation of phishing that involves the use of texting Vishing is similar to smishing except the victims receive a voice mail message telling them to call a phone number or access a Web site

Threat actors

exploit vulnerabilities to launch attacks ▪ Advanced Persistent Threat (APT) ▪ Hacktivist ▪ Insider Threat ▪ Script Kiddies

Impersonation/ Identity Theft

Someone who is pretending to be another person. They may use your name and other personal information.

Misinformation

Untrue or wrong information

bounds checking

performed by a developer because attacker seek the openings

Non-persistent (reflected) XSS attack

-Website allows script to run in user input - Attacker emails a link taking advantage of the vulnerability - Script embedded in URL executes in victims browser - Attacker uses credential/ session id/ cookie to steal victims information without their knowledge

Vulnerable software vectors

Client based - Infected executables - Known (or unknown) vulnerabilities - may require constant updates Agentless - No installed executables - Compromised software on server would affect all users'- Client runs a new instance each time

Watering Hole Attack

A malicious attack that is directed toward a small group of specific individuals who visit the same website.

Hardware devices

A piece of hardware equipment, such as a printer or a modem, that is connected to a computer

Race Condition

A programming flaw that occurs when two sets of code attempt to access the same resource. The first one to access the resource wins, which can result in inconsistent results.

service provider

A role performed by an organization in a service relationship to provide services to consumers. - Usually have access to internal services - Many different type of providers - Consider ongoing security audits ( usually incorporated into the contracts)

End of life (EOL)

A term used to describe the date by which the vendor or manufacturer ceases to support and provide software updates and patches for a product or software application - May continue supporting the product

social engineering attack

A type of attack where the goal is to obtain sensitive data, including user names and passwords, from network users through deception and trickery.

Remote Code Execution

A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability.

Dynamic Link Library (DLL)

A windows library containing code and data Many applications use this library

Persistent XSS attack (stored)

Attacker uses social media to upload malicious payload with intent to get users to click the link - Its persistent - No specific target - Can spread quickly

Mobile Device Security

Challenging to secure - Often need additional security policies and systems Relatively small - Can be almost invisible Almost always in motion - Can never know where it might be Packed with sensitive data - Personal and organizational Constantly connected to the internet

Executing the watering hole attack

Determine which website the victim group uses - Educated guess (Local coffee or sandwich shop) - Industry-related sites Infect one of these third-party sites - Site vulnerability - Email attachments Infect all visitors - But you're just looking for specific victims - Now you're in!

removable device vectors

Get around the firewall via USB interface Malicious software on USB flash drives - Infect air gapped network - Industrial systems, high security services USB devices can act as keyboard

Insider threats

Legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident - like giving up or losing passwords, or leaving them ON the computer which leaves the door open for hackers Medium level of sophistication - Insider has institutional knowledge - Attacks can be directed at vulnerable systems - insider knows what to hit Extensive resources - Using the organizations resources against themselves

Solarwinds Hack

In early 2020, suspected Russian hackers inserted malicious code within Solarwind's software system called "Orion". When Solarwinds sent out software updates for "Orion" to it's 33,000 customers the malicious code was able to create backdoors that enabled hackers to spy on many different organizations including the National Nuclear Security Administration which maintains the U.S. nuclear stockpile.

Escaping the VM

March 2017 - Pwn2Own competition - Hacking contest - You pwn it, you own it - along with some cash JavaScript engine bug in Microsoft Edge - Code execution in the Edge sandbox Windows 10 kernel bug - Compromise the guest operating system Hardware simulation bug in VMware - Escape to the host Patches were released soon afterwards

Threat Vector

Method used by an attacker to access a victim's machine

Data Exfiltration

The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.

File based vector

More than just executables - Malicious code can hide in many places Adobe PDF - file format containing other objects ZIP/RAR files - contains many different files Microsoft office - documents with macros - add-in files

Open service ports

Most network-based services connect over TCP, UDP port - An open port Every open port id an opportunity for an attacker - Application vulnerability or misconfiguration Every application has their own open port - More services expand the attack surfaces Firewall rules - Must allow traffic to an open port

Message-based threat vectors

Most successful threat vector done using messaging services such as SMS and Email

Brand Impersonation

Pretending to be a well-known brand

Eliciting Information

Procedures or techniques involving interacting with and communicating with others that is designed to gather knowledge or inform

EOSL (end of service life)

Product life cycle phase where support is no longer available from the vendor. - May have premium cost support option - No ongoing security patches or updates - Security concern since no patches would be available

Organized crime

Professional Criminals - Motivated by money - Almost always an external entity Very Sophisticated - Best hacking money can buy Crime that is organized - One person hacks, others manages the exploits, others sells the data, others manage customer support

identify fraud

Refers to crime in which criminal obtains and uses a victim's personal data through fraud or deception and usually for economic gain.

Insecure Protocols

Some protocols aren't encrypted - All traffic sent in the clear - Telnet, FTP, SMTP, IMAP • Verify with a packet capture - View everything sent over the network • Use the encrypted versions- SSH, SFTP, IMAPS, etc.

Hacktivist

Someone who uses computers and computer networks to disrupt services or share secret information in an effort to draw attention to political or social issues. - Financially limited - Can be incredibly sophisticated

Phishing Scam

Spoofed email and website in order to trick a person into providing private information

Nation state actors

State-sponsored attackers employed by a government for launching computer attacks against foes, most commonly APT Highly Sophisticated many possible motivation External entity Constant attacks, massive resources

Firmware

System software that controls hardware devices. - Vendors are the only one that can fix the hardware - Depends if they care about fixing it

resource reuse

The hypervisor manages the relationship between physical and virtual resources - Available Ram, storage space, CPU availability These resources can be reused between VMs -Hypervisor hosts with 4GB of RAM - Supports three VMs with 2GB of Ram each - Ram is allocated and shared between VMs Data can inadvertently be shared between VMs - Security patches can mitigate the risk - Time to update the memory management features

Shadow IT

The information systems and solutions built and deployed by departments other than the information systems department. In many cases, the information systems department may not even be aware of these efforts.

Time of Check to Time of Use (TOCTTOU)

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.

MSP (Managed Service Provider)

The practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions in order to improve operations and cut expenses.

spam over IP telephony (SPIT)

Unsolicited messages being sent over IP telephony.

Open permissions

Very easy to leave a door open - Hackers will always find it Increasingly common with cloud storage - Statistical chance of finding an open permission

Typosquatting/URL hijacking

Websites with names similar to real websites; users making typographical errors are sent to a site filled with malware.

Pretexting

a form of social engineering in which one individual lies to obtain confidential data about another individual

Vishing

a phone scam that attempts to defraud people by asking them to call a bogus telephone number to confirm their account information

directory traversal attack

an attack that involves navigating to other directories an gaining access to files and directories that would otherwise be restricted

Business Email Compromise

an exploit in which the attacker gains access to a corporate email account and spoofs the owner's identity to defraud the company or its employees, customers or partners of money.

legacy system

an old system that is fast approaching or beyond the end of its useful life within an organization - Additional firewall sules -IPS signatures for older OS

buffer overflow attacks

are not simple to conduct

SQL injection attack

attacks against a web site that take advantage of vulnerabilities in poorly coded SQL (a standard and common database software application) applications in order to introduce malicious program code into a company's systems and networks

XSS Vulnerabilities

can be used to hijack the user's session

Default Credentials

credentials issued to IOT devices - provide full contol of a device

Software updates (software patch)

occur when the software vendor releases updates to software to fix problems or enhance features - Not every update is equally secure

Mirai botnet

open-source software that takes advantage of default configurations. takes over IoT devices. 60+ default configs

War Dialing

searching for an idle modem by programming a computer to dial thousands of phone lines

hardware vulnerabilities

security weaknesses caused by design flaws in computer devices and components. They are usually limited to specific device models and are commonly exploited through targeted attacks.

Malware

software that is intended to damage or disable computers and computer systems. - usually runs in the memory

supply chain risk

the likelihood of a disruption that would impact the ability of a company to continuously supply products or services

jailbreaking/rooting

unlocking Android (rooting) and iOS (jailbreak) mobile devices to allow users full access to the file system and full access to the kernel module - Install custom firmware - uncontrolled access

Image based vector

uses SVG (Scalable vector graphic) format to hide a threat inside an image and is described as XML (Extensible Markup language) - HTML injection - JavaScript attack code browser must be able to identify scripting attacks

Security in the cloud

• Data is in a secure environment - No physical access to the data center - Third-party may have access to the data • Cloud providers are managing large-scale security - Automated signature and security updates - Users must follow security best-practices • Limited downtime - Extensive fault-tolerance and 24/7/365 monitoring • Scalable security options - One-click security deployments - This may not be as customizable as necessary

VM Escape Protection

• The virtual machine is self-contained - There's no way out - Or is there? • Virtual machine escape - Break out of the VM and interact with the host operating system or hardware • Once you escape the VM, you have great control - Control the host and control other guest VMs • This would be a huge exploit - Full control of the virtual world