Cryptographic Attacks

An unauthenticated scan

An unauthenticated scan is performed the same way an intruder would be expected to scan the network. No credentials are used. This way, the company can get an accurate view of the vulnerabilities that are present and exploitable without ever logging into the network.

Examples of vulnerability scanners are

Nessus and Microsoft Baseline Security Analyzer

Types of Actors

Script Kiddies Hacktivist Organized Crime Nation States/APT Insider Threats Competitors

vulnerability scanning

There are two approaches to vulnerability scanning, authenticated and unauthenticated scans.

Cryptographic Attacks

Birthday Attack Rainbow Tables Dictionary Weak Implementation Brute force Downgrade

Rainbow Tables

• A rainbow table is a table of common hashes for plaintext while using various hashing algorithms. These tables are pre-calculated so an attacker has to do little work to utilize one. •A Rainbow table can be compared to a master password file of corporate users, and if the rainbow table is able to successfully discover a user's password, then you know one of two things must be true (or both). •The user's password is weak. •The hash algorithm used by the company is weak. • •Attackers can also build their own rainbow table while attempting to brute-force a hash.

Hacktivist

•A Hacktivist is a person that uses hacking to promote a cause or push a political agenda •A hacktivist can be anything from an individual getting attention for a cause to a cyberterrorist. •This can cause a moral grey area when viewing a hacktivist. Some will support the cause and others will condone it depending on the cause. • •Hacktivism is frequently a red herring for a more threatening attack. For example, a website might get defaced and some credit cards might be discreetly stolen.

Misconfiguration/weak configuration

•A Misconfigured device can cause all sorts of issues, and can be an issue with any device. • •Weak configurations can cause open passage ways into your systems for attackers, create easily prevented vulnerabilities, and much more. • •Intentional but weak configurations are equally dangerous, for example, setting a password to only require lowercase and uppercase letters, but no numbers or special characters.

Pivot & Initial Exploitation

•A Penetration testing pivot is the first steps into a network or system. The pivot point is the point where the hacker can then branch out and compromise other parts of the system or other devices on the network. •The pivot is basically the initial exploitation that is required to a hacker to compromise the rest of the network.. •After this initial exploitation takes place, the attacker/ tester will either hit the systems they planned to hit and go, or use this pivot point as a persistent means to continue to compromise the system.

Race Condition

•A Race Condition is when multiple events try to be processed by a system at the same time, potentially causing them to be processed in the wrong order. •An issue with sequence dependent events. • •One file being access by multiple users at once, if both are saved by the different users, can cause the file to be corrupt, or one user's changes never saving.

Script Kiddies

•A Script Kiddie is some form of unskilled hacker who has no real skill of their own. They will utilize common or easily implemented vulnerabilities that can be found online. • •Script kiddies are assumed to be unskilled and thus a minor threat when compared to other threat actors. • •Script kiddies might be a threat to your untrained users, but generally user training and proper security controls on the network can mitigate most attacks that would be carried out by a script kiddie.

Birthday Attack

•A birthday attack is an attack on hashed password that utilizes the same logic as the birthday problem. Which is to say, even if there are many different possible hashing outputs, you are likely to find two different inputs with the same hash. • •The amount of attempts required for a probable match is less than one might think, for example: •1 in 21 (4%) chance to match after 100 attempts if there were 100,000 unique hashes. •1 in 3 (39%) chance to match after 100 attempts if there were 10,000 unique hashes. • •Keep in mind, while more unique hashes exist, hashes can be brute-forced at a rate of hundreds per second.

Brute Force

•A brute-force attack is an attempt to manually guess a password, pin, or any other passphrase-like authentications in order to gain access to an account or system. •Alternatively, the attacker can attempt to guess an encryption key using a program or algorithm. • •In theory, any key could be bruteforced, but some forms of encryption are estimated to require so much time to break, that it is considered statistically impossible.

Buffer Overflow

•A buffer overflow is a condition where a process attempts to store more data into a memory variable than that variable accepts. Basically it writes too much data into an application's memory and causes the application to crash. • •If successful, a buffer overflow can lead to a DoS. • •The most common exploit of an Internet-exposed network service or a web server is a buffer overflow.

default account

•A default account is using the main account that was supplied by the device vendor. • •If at all possible: •Always change (or better yet remove) the default account. •Create a new account and make sure that you use a complex password. •Even try to get away from using the account name Administrator or Admin.

dictionary attack

•A dictionary attack is similar to a brute-force but instead of systematically working through otherwise random passwords, a dictionary attack goes after common passwords first. •This way, passwords like "password" or "12345" would be quickly broken. • •Companies can mitigate this attack by training user on secure password usage and by enforcing a strict password policy. The dictionary attack can still be successful, but it prevents those easy passwords from being discovered quickly.

downgrade

•A downgrade attack is an attack that forces a system to utilize a weaker form of encryption or security. This way, the attacker can have an easier time breaking the weaker encryption as opposed to the previously implemented one. •Or, if possible, to force the target system to abandon encryption entirely. • •This type of attack can be a result of a main in the middle attack, which all of the user's traffic is sent through a malicious device. The attack negotiates the user's connection to use a weaker encryption. •This can be prevented by not allowing a user to use older versions of an application or protocol, forcing the latest and greatest security.

false negative

•A false negative is when a system reports that a verified user is unauthorized.

•A false positive

•A false positive is when a system identifies an unauthorized user and allows them access.

memory leak

•A memory leak can occur when a system incorrectly manages memory allocations in such a way that memory that is no longer being utilized or needed is not release. • •Basically, an application consumes demands more and more utilization of the system's RAM but never returns and unused memory to the system. •This will lead to the eventual crashing of the software.

Penetration Testing

•A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker or Cracker

Black Hat Hacker or Cracker.

•A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker or Cracker. • •A penetration tester should perform a penetration test when the penetration tester has written permission from the network owner. • •Penetration testing actively tests security controls and can cause system instability.

Identifying Vulnerabilities

•A possible result from a vulnerability scan is identifying a lack of security controls. •This points out a complete lack of a security measure as opposed to a gap in an existing one. • •Running a second scan is especially important in these cases as you would need to check if the new controls you put in place still present vulnerabilities.

Vulnerability Scanner

•A vulnerability scanner is a computer program designed to search for and map systems for weaknesses in an application, computer, or network. • •These utilities are the least intrusive and check the environment for known software flaws.

Weak and default passwords

•A weak password is a password that can be easily guessed. Passwords should be long enough and meet some sort of complexity to be hard to guess or be cracked by a password cracker. • •When creating a strong password, length is the most important factor to consider. This is closely followed by complexity, which uses upper-case, lower-case, special characters, and numbers. • •Always change default passwords in software and hardware! Until you do, the password can be easily obtained by downloading vendor documentation.

•A zero-day attack or threat

•A zero-day attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer. •Also called zero-day vulnerabilities. •Could be used to cause buffer overflows. • •With a Zero-Day exploit, either there is no fix for the vulnerability yet, or the fix was just released and not everyone has patched their systems yet.

Active reconnaissance

•Active reconnaissance refers to the act of attempted to gather information from a group, website, etc. by the use of scanners, software, or a similar method requiring technical knowledge.

•An Advanced Persistent Threat (APT)

•An Advanced Persistent Threat (APT) describes a group of well organized attackers, possibly from an enemy country, who use very sophisticated and targeted attacks against your organization.

An authenticated scan

•An authenticated scan is performed with internal network credentials. This can usually see a more full picture of the network and can also simulate a scan from an internal threat,

Improperly configured accounts

•An improperly configured account can compromise system security or prevent a user from accessing resources they should have access to. •Without proper permissions to networked resources, a user might be unable to do their job. •With too many permissions, a user might be able to access resources they should never have access to, potentially compromising the network. • •Default accounts should never be utilized on a secure network.

An integer overflow

•An integer overflow is when some integer is expected, but an integer outside of the expect range is forced into the application. • •For example, in a Date of Birth field it asks for month and day, and the user inputs, "3" for the month but "32" for the day. •32 is larger than the expected largest number of 31 days in march.

resource exhaustion

•Anything from a computer to a piece of software only has certain allotted resource, either by hardware restraints or by design. •Software that utilizes the maximum allotted CPU usage my become sluggish or crash, causing a DOS •A server that reaches maximum CPU usage might also become sluggish, and be slow to respond to requests, also causing a DOS • •A DDOS frequently relies on exhausting resources of a server for the attack to be effective.

Intrusive vs. non-intrusive

•As compared to a penetration test, a vulnerability scan tends to simply glance over a system to reveal compromises where the latter attempts to break through systems to reveal them. •While a scan has the capability of slowing down a system during its operation it still allow for regular business operation to continue.

End of System Life & Lack of Vendor support

•As software and hardware ages, it eventually reaches a point where it needs to be replaced with newer technology. • •Older machines tend to have know vulnerabilities that an attacker could exploit. •Machines that go unpatched to new threats are susceptible to them. • •Systems without vendor support may reach a state where they are in need of repair, but no support exists to repair them.

Identifying Vulnerabilities Cont.

•Attackers often look for systems that are misconfigured, but vulnerability scanners can detect some common misconfiguration settings. •Some of these common misconfigurations include unintentionally open ports, default accounts and passwords, and weak passwords. • •Some scanners can also detect if certain sensitive data is being sent over the networks when it should not.

•Improper input validation could lead to:

•Buffer overflow attacks •Command injection attacks •XSS and XSRF attacks •And many more!

Persistent Penetration Attack

•In a Persistent Penetration Attack, after the initial attack, the attacker will continue to monitor the target network. • •As the threat scape changes due to new exploits, or as improved methodologies are developed, these new attacks are compared against the target network to identify new risks. • •This more accurately simulates the approach of real-world methods

Improper Input Validation

•Input validation, also called data validation, is the process of ensuring that a program operates on clean, correct, and useful data. •Should be used to make sure your applications are coded in a secure manner.

Insider Threats

•Insider Threats are perpetrated by individuals that are a part of the targeted group/company. They may aim to vandalize assets as a form of revenge, steal proprietary assets for resale on the dark web, or simply send sensitive data to anybody who asks. •The hard part, of course, is distinguishing these actions from all the legitimate activity that occurs every day on your network. • Some tactics could help mitigate an insider threat, like least privilege or job rotation

Attributes of Actors

•Internal vs. External - An internal threat is one that originates from within the targeted group and will have an easier time getting through or already have access to that groups information making them potentially more dangerous then an external threat that would have to break through the security. • •Level of Sophistication refers to the amount of organization, and expertise that are attributed to the particular attacker.

Improper certificate and key management

•Not keeping certificates up to date can lead to several devices on a company network not trusting each other. • •Outdated certificates that are never renews can also prevent a company smart card from granting access to the building, even for a valid employee. • •Not securing the private keys of your employees, servers, certificate authorities, etc. from an outside attack can lead to a compromise of those keys, making them untrustworthy. •It is especially harmful if the CA is compromised, as all certificates signed by that CA become untrustworthy.

Passively Testing

•One way that vulnerability scanning distinguishes itself from penetration testing is the amount of work involved in conducting it. •When a vulnerability scan is conducted it runs on its own to search for compromises based on a database without active involvement. • •Ends up not being as thorough, but allows for regular business operation to continue.

•Open-source intelligence (OSINT)

•Open-source intelligence (OSINT) is publicly available information that any corporation or individual can utilize in order to keep up to date on many types of attacks and threats. •This could included many sources including, but not limited to, the news, social media, and publicly available reports. •OSINT is simply any openly available information to the public.

Passive Reconnaissance

•Passive reconnaissance is characterized by the lack of technical expertise used to glean information. •As an example, finding employee names from a business's public-facing website.

Privilege Escalation

•Privilege escalation is a type of attack that occurring when the attacker uses an account that has read-only access to gain access to an account that has full control access.

Privilege Escalation

•Privilege escalation is the act of exploiting a bug or design flaw in a software application to gain access to resources which normally would have been protected from an application or user.

what control type is vulnerability scan?.

•Scheduling vulnerability scans is a management control type.

false positive/negative

•Sometimes when a scan is conducted it may yield results that are misleading in the form of false positives and negatives

The Nation State Actor

•The Nation State Actor are hacker that are generally legally hacking for the government of their country. They are usually well trained and will have a set a focused target. • •An Advanced Persistent Threat (APT) describes a group of well organized attackers, possibly from an enemy country, who use very sophisticated and targeted attacks against your organization.

organized crime

•The most common adversary thought of when discussing data theft, cyber-criminals seek the immediate satisfaction of a financial payout. They typically target personal and financial information, hoping to exploit or sell the data for their own financial gain. • •This is typically carried out by an organized group of attackers trying to reap financial gain.

Identifying Vulnerabilities

•The primary purpose for vulnerability scans is going to be to search a system, check back to it's database of filed vulnerabilities, and point out flaws that match. • •An important practice to observe when scanning is to run additional scans after vulnerabilities are found as there may others that have surfaced since the last ones were found and removed.

competitors

•Threats posed by competitors are, simply, threats perpetrated by competing groups in order to gain some sort of edge or handicap their rivals. •Threats may include disrupting day-to-day operations, exposing sensitive information, destroying public relations, etc.

Untrained users

•Untrained users can cause countless problems, more so than any other issue. •Untrained users can cause minor hiccups in day to day operations. •Untrained users can cause a complete system failure. • •Users need to be trained and kept up to date on a few aspects to prevent a failure. •Latest best security practices to prevent social engineering attempts. •Functionality of a system to prevent misconfigurations. •Much, much more.

Weak Implementation

•Weak encryption based attacks target the implementation or the algorithm itself, that is used in implementing password based authentication. • If the attacker has access to the location where the passwords are stored, and if there are suitable conditions for the attacker to break the passwords, then it is pretty much a situation of compromise.

Attributes of Actors

•What also helps to determine the effectiveness of an attacker is the amount of resources and funding that are available to them. •Where a Script Kiddie would have little to none to pull from, a Nation State would have resources from the government that employed them. •Intent is also important in assessing a threat as an attacker seeking to expose government secrets will be assessed more dangerous than an attacker seeking to deface a public website.

Improper Error Handling

•When a piece of software receives an error, it wants to handle that error gracefully and without compromising itself or the underlying system. • •In an extreme example, an error improperly handled can cause the application to crash completely, causing a DOS.

Undocumented Assets

•While undocumented assets not immediately effect a company, one of a few negative outcomes can be possible. •Something is stolen, but not detected because of lack of documentation. •An employee never returns a company laptop, but is forgotten about. •A stolen laptop is used to exfiltrate data from the network, but the vulnerability goes undetected because no known laptop exists to be stolen. • •Additionally, not documenting company assets can lead to an inefficient use of company resources. •An undocumented asset can't be utilized if the company is unaware of its existence.