Mod C - Cybersecurity Threats, Vulnerabilities, and Attacks
Distributed DoS attack
A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from multiple, coordinated sources
Common indicators of spam
An email has no subject line An email is requesting an update to an account. The email text has misspelled words or strange punctuation. Links within the email are long and/or cryptic. An email looks like correspondence from a legitimate business. The email requests that the user open an attachment. If a user receives an email that contains one or more of these indicators, he or she should not open the email or any attachments.
Defending against malware
Antivirus software Up to date Operating Systems / Application softwares
Defending against attacks
Configure firewalls to discard any packets from outside of the network that have addresses indicating that they originated from inside the network. regularly patching firewalls updating firmware to prevent DoS and DDoS attacks, ensure patches and upgrades are current, distribute the workload across server systems, and block external Internet Control Message Protocol (ICMP) packets at the border. Systems can prevent falling victim to a replay attack by encrypting traffic, providing cryptographic authentication, and including a time stamp with each portion of the message
SE Tactics - Familiarity
Criminals build a rapport with the victim to establish a relationship People are more likely to do what another person asks if they like that person.
SE Tactics - Trust
Criminals build a trusting relationship with a victim which may require more time to establish A "security expert" calls the victim offering advice and having the credentials to back it up. While helping the victim, the criminal discovers a "serious error" that needs immediate attention. The solution provides the criminal with the opportunity.
Phishing
Cyber criminals use email, instant messaging, or other social media to try to gather information such as login credentials or account information by masquerading as a reputable entity or person occurs when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source The message intent is to trick the recipient into installing malware on his or her device or into sharing personal or financial information
Acceptable Use Policy
Forwarding hoax emails and other jokes, funny movies, and non-work-related emails at work may violate the company's acceptable use policy and result in disciplinary actions
Sniffing
It occurs when attackers examine all network traffic as it passes through their NIC, independent of whether or not the traffic is addressed to them or not. Physical security is important in preventing the introduction of sniffers on the internal network.
Smishing
It uses Short Message Service (SMS) to send fake text messages. The criminals trick the user into visiting a website or calling a phone number. Unsuspecting victims may then provide sensitive information such as credit card information. Visiting a website might result in the user unknowingly downloading malware that infects the device.
Defending against Deception
Never provide confidential information or credentials via email, chat sessions, in-person, or on the phone to unknown parties. Resist the urge to click on enticing emails and website links. Keep an eye out for uninitiated or automatic downloads. Establish policies and educate employees about those policies. When it comes to security, give employees a sense of ownership. Do not fall to pressure from unknown individuals.
Defending against Wireless / Mobile Device Attacks
Take advantage of the basic wireless security features such as authentication and encryption by changing the default configuration settings. Restrict access point placement with the network by placing these devices outside the firewall or within a demilitarized zone (DMZ) which contains other untrusted devices such as email and web servers. For authorized employees, utilize a remote access virtual private network (VPN) for WLAN access. Develop a guest policy to address the need when legitimate guests need to connect to the Internet while visiting.
DOS (Maliciously Formatted Packets)
The attacker sends a maliciously formatted packet to a host or application and the receiver is unable to handle it.
DOS (Overwhelming Quantity of traffic)
The attacker sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes a slowdown in transmission or response, or a crash of a device or service.
SQL Injection
The cybercriminal exploits a vulnerability by inserting a malicious SQL statement in an entry field. the system does not filter the user input correctly for characters in an SQL statement. Criminals can spoof an identity, modify existing data, destroy data, or become administrators of the database server.
Defending against Application Attacks
The first line of defense against an application attack is to write solid code. Validate all inputs as if they were hostile. Keep all software including operating systems and applications up to date, and do not ignore update prompts.
ActiveX Controls
Third parties write some ActiveX controls and they may be malicious. They can monitor browsing habits, install malware, or log keystrokes.
Pretexting
This is when an attacker calls an individual and lies to them in an attempt to gain access to privileged data An example involves an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
Something for something
This is when an attacker requests personal information from a party in exchange for something, like a gift.
Whaling
Whaling is a phishing attack that targets high profile targets within an organization such as senior executives. Additional targets include politicians or celebrities.
botnet
a network of infected hosts, comprised of zombies.
spam
also known as junk mail, is unsolicited email. In most cases, spam is a method of advertising. However, spam can send harmful links, malware, or deceptive content. to obtain sensitive information such as a social security number or bank account information.
Wi-Fi Protected Access (WPA) and (WPA2)
an attacker cannot recover the key by observing traffic is susceptible to attack because cyber criminals can analyze the packets going between the access point and a legitimate user. Cyber criminals use a packet sniffer and then run attacks offline on the passphrase.
Worms
are malicious code that replicates by independently exploiting vulnerabilities in networks.
Man in the Middle
attack occurs by intercepting communications between computers to steal information crossing the network. The criminal can also choose to manipulate messages and relay false information between hosts since the hosts are unaware that a modification to the messages occurred. The criminal can also choose to manipulate messages and relay false information between hosts since the hosts are unaware that a modification to the messages occurred.
SE Tactics - Intimidation
criminals bully a victim into taking action An executive's secretary receives a call stating that her boss is about to give an important presentation, but his files are corrupt. The cybercriminal asks for the files to be sent immediately to him.
Methods to piggyback
criminals give the appearance of being escorted by the authorized individual criminals join a large crowd pretending to be a member criminals target a victim who is careless about the rules of the facility
RF Jamming
disrupts the transmission of a radio or satellite station so that the signal does not reach the receiving station. The frequency, modulation, and power of the RF jammer needs to be equal to that of the device that the criminal wants to disrupt in order to successfully jam the wireless signal.
Command and Control system
handler systems to control the zombies
Ransomware
holds a computer system, or the data it contains, captive until the target makes a payment. usually works by encrypting data in the computer with a key unknown to the user. The user must pay a ransom to the criminals to remove the restriction.
zombies
hosts infected from malware
Grayware
includes applications that behave in an annoying or undesirable manner may not have recognizable malware concealed within, but it still may pose a risk to the user. can track the user's location usually maintain legitimacy by including an application's capabilities in the small print of the software license agreement. Users install many mobile apps without really considering their capabilities.
Social Engineering
is a completely non-technical means for a criminal to gather information on a target is an attack that attempts to manipulate individuals into performing actions or divulging confidential information. often rely on people's willingness to be helpful but also prey on people's weaknesses.
attack
is a deliberate exploitation of a discovered weakness in computer information systems, either as specific targets or merely as targets of opportunity.
Spear phishing
is a highly targeted phishing attack use emails to reach the victims sends customized emails to a specific person
Logic Bomb
is a malicious program that uses a trigger to awaken the malicious code. attack and destroy the hardware components in a workstation or server including the cooling fans, CPU, memory, hard drives and power supplies
Keyboard Logging
is a software program that records or logs the keystrokes of the user of the system.
Malware
is a term used to describe software designed to disrupt computer operations, or gain access to computer systems, without the user's knowledge or permission.
Metasploit
is a tool for developing and executing exploit code against a remote target
Cross-site Scripting (XSS)
is a vulnerability found in web applications allows criminals to inject scripts into the web pages viewed by users. This script can contain malicious code. A malicious script of this type can access any cookies, session tokens, or other sensitive information. If criminals obtain the victim's session cookie, they can impersonate that user.
Vulnerability
is a weakness that makes a target susceptible to an attack.
Rogue Access Points
is a wireless access point installed on a secure network without explicit authorization. can be setup by well-intentioned employee is trying to be helpful by making it easier to connect mobile devices. another way is when a criminal gains physical access to an organization by sneaking in and installs the rogue access point. the criminal sets up the access point as a MitM device to capture login information from users.
Hoax
is an act intended to deceive or trick can cause just as much disruption as an actual breach would cause elicits a user reaction. The reaction can create unnecessary fear and irrational behavior. Users pass hoaxes through email and social media
XML Injection
is an attack that can corrupt the data. After the user provides input, the system accesses the required data via a query. The problem occurs when the system does not properly scrutinize the input request provided by the user Criminals can manipulate the query by programming it to suit their needs and can access the information on the database. An XML injection attack threatens the security of the website.
Meterpreter
is an exploit module within Metasploit that provides advanced features. allows criminals to write their own extensions as a shared object. Criminals upload and inject these files into a running process on the target. loads and executes all of the extensions from memory, so they never involve the hard drive. has a module for controlling a remote system's webcam.
Spoofing
is an impersonation attack, and it takes advantage of a trusted relationship between two systems
Tailgating
is another term that describes the same practice.
Virus
is malicious executable code attached to another executable file, such as a legitimate program. Most viruses require end-user initiation, and can activate at a specific time or date.
Browser hijacker
is malware that alters a computer's browser settings to redirect the user to websites paid for by the cyber criminals' customers usually install without the user's permission and are usually part of a drive-by download. Always read user agreements carefully when downloading programs to avoid this type of malware.
Trojan horse
is malware that carries out malicious operations under the guise of a desired operation such as playing an online game. the Trojan binds itself to non-executable files, such as image files, audio files, or games.
Smishing
is phishing using text messaging on mobile phones. Criminals impersonate a legitimate source in an attempt to gain the trust of the victim.
Vishing
is phishing using voice communication technology Criminals can spoof calls from legitimate sources using voice over IP (VoIP) technology takes advantage of the fact that people trust the telephone network.
spyware
is software that enables a criminal to obtain information about a user's computer activities. often includes activity trackers, keystroke collection, and data capture. often bundles itself with legitimate software or with Trojan horses. Many shareware websites are full of spyware.
Impersonation
is the action of pretending to be someone else. is used to undermine the credibility of individuals by using website or social media postings.
Pharming
is the impersonation of a legitimate website in an effort to deceive users into entering their credentials. misdirects users to a fake website that appears to be official. Victims then enter their personal information thinking that they connected to a legitimate site.
Threat
is the possibility that a harmful event, such as an attack, will occur.
SEO Poisoning
is to increase traffic to malicious sites that may host malware or perform social engineering. To force a malicious site to rank higher in search results, attackers take advantage of popular search terms.
rootkit
modifies the operating system to create a backdoor. Attackers then use the backdoor to access the computer remotely. It is also common for rootkits to modify system forensics and monitoring tools, making them very hard to detect.
Piggybacking
occurs when a criminal tags along with an authorized person to gain entry into a secure location or a restricted area
replay attack
occurs when an attacker captures a portion of a communication between two hosts and then retransmits the captured message later. Replay attacks circumvent authentication mechanisms.
Buffer Overflow
occurs when data goes beyond the limits of a buffer. Buffers are memory areas allocated to an application. By changing data beyond the boundaries of a buffer, the application accesses memory allocated to other processes. This can lead to a system crash, data compromise, or provide escalation of privileges.
MAC address spoofing
occurs when one computer accepts data packets based on the MAC address of another computer.
Bluesnarfing
occurs when the attacker copies the victim's information from his device. This information can include emails and contact lists.
SE Tactics - Authority
people are more likely to comply when instructed by "an authority" An executive opens an infected PDF that looks like an official subpoena.
SE Tactics - Concensus
people will take action if they think that other people like it too Criminals create websites with fake testimonials that promote a product indicating that it is safe.
SE Tactics - Scarcity
people will take action when they think there is a limited quantity Criminals offer a limited opportunity that will not last hoping to spur the victim into taking action quickly.
SE Tactics - Urgency
people will take action when they think there is a limited time Criminals establish a deadline for taking action based on a certain price.
Scareware
persuades the user to take a specific action based on fear. forges pop-up windows that resemble operating system dialogue windows. These windows convey forged messages stating that the system is at risk or needs the execution of a specific program to return to normal operation. In reality, no problems exist, and if the user agrees and allows the mentioned program to execute, malware infects his or her system.
Backdoor
refers to the program or code introduced by a criminal who has compromised a system. bypasses the normal authentication used to access a system
Wired Equivalent Privacy (WEP)
s a security protocol that attempted to provide a wireless local area network (WLAN) with the same level of security as a wired LAN. uses a key for encryption WEP also has several problems with its initialization vector (IV) which is one of the components of the cryptographic system: It is a 24-bit field, which is too small. It is cleartext, which means it is readable. It is static so identical key streams will repeat on a busy network.
IP spoofing
sends IP packets from a spoofed source address to disguise itself.
ARP spoofing
sends spoofed ARP messages across a LAN to link the criminal's MAC address with the IP address of an authorized member of the network.
zero-day attack
sometimes referred to as a zero-day threat, is a computer attack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor
DNS server spoofing
spoofing modifies the DNS server to reroute a specific domain name to a different IP address controlled by the criminal.
Man-in-the-Mobile
takes control over a mobile device. The infected mobile device sends user-sensitive information to the attackers.
Bluejacking
the term used for sending unauthorized messages to another Bluetooth device. A variation of this is to send a shocking image to the other device.
adware
typically displays annoying pop-ups to generate revenue for its authors. Some versions of software automatically install Adware. it is also common for adware to come with spyware.
Whale phishing
use emails to reach the victims
Evil Twin Attack
uses the criminal's access point improved with higher power and higher gain antennas to look like a better connection option for users. After users connect to the evil access point, the criminals can analyze traffic and execute MitM attacks.