Topic 7A: Explain Attacks, Threats, and Vulnerabilities
Hashing and Encryption Concepts:
Many logical security controls depend to some extent on the use of encryption technologies. A message encrypted by a cipher is only readable if the recipient has the correct key for that cipher. The use of encryption allows sensitive data to travel across a public network, such as the Internet, and remain private. There are three principal types of cryptographic technology: symmetric encryption, asymmetric encryption, and cryptographic hashing.
Social Engineering:
Threat actors can use a diverse range of techniques to compromise a security system. A prerequisite of many types of attacks is to obtain information about the network and its security controls. Social engineering —or hacking the human—refers to techniques that persuade or intimidate people into revealing this kind of confidential information or allowing some sort of access to the organization that should not have been authorized.
Digital Signatures and Key Exchange:
Cryptographic hashes and encryption ciphers have different roles in achieving the information security goals of confidentiality, integrity, and availability. Often two or more of these three different types are used together in the same product or technology. The main drawback of asymmetric encryption is that a message cannot be larger than the key size. To encrypt a large file, it would have to be split into thousands of smaller pieces. Consequently, asymmetric encryption is used with cryptographic hashes and symmetric encryption keys to implement various kinds of security products and protocols.
Information Security: Information security is the practice of controlling access to data that is in any format, including both computer data and paper records. Secure information has three properties, often referred to as the confidentiality, integrity, and availability (CIA triad):
-Confidentiality means that certain information should only be known to certain people. -Integrity means that the data is stored and transferred as intended and that any modification is authorized. -Availability means that information is accessible to those authorized to view or modify it.
A threat actor might obtain a database of password hashes from the local system. Common password hash files and databases include %SystemRoot%\System32\config\SAM, %SystemRoot%\NTDS\NTDS.DIT (the Active Directory credential store), and /etc/shadow . The threat actor could also use an on-path attack to capture a password hash transmitted during user authentication. While the original string is not supposed to be recoverable, password cracking software can be used to try to identify the password from the cryptographic hash. A password cracker uses two basic techniques:
-Dictionary —The software matches the hash to those produced by ordinary words found in a dictionary. This dictionary could include information such as user and company names, pet names, significant dates, or any other data that people might naively use as passwords. -Brute force —The software tries to match the hash against one of every possible combination it could be. If the password is short (under eight characters) and noncomplex (using only lower-case letters, for instance), a password might be cracked in minutes. Longer and more complex passwords increase the amount of time the attack takes to run.
A cross-site scripting (XSS) attack exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit. XSS inserts a malicious script that appears to be part of the trusted site. A nonpersistent type of XSS attack would proceed as follows:
1. The attacker identifies an input validation vulnerability in the trusted site. 2.The attacker crafts a URL to perform code injection against the trusted site. This could be coded in a link from the attacker's site to the trusted site or a link in a phishing email message. 3.When the user opens the link, the trusted site returns a page containing the malicious code injected by the attacker. As the browser is likely to be configured to allow the site to run scripts, the malicious code will execute. 4.The malicious code could be used to deface the trusted site (by adding any sort of arbitrary HTML code), steal data from the user's cookies, try to intercept information entered in a form, or try to install malware. The crucial point is that the malicious code runs in the client's browser with the same permission level as the trusted site. This type of XSS attack is nonpersistent because at no point is data on the web server changed. A stored/persistent XSS attack aims to insert code into a back-end database or content management system used by the trusted site. The threat actor may submit a post to a bulletin board with a malicious script embedded in the message, for instance. When other users view the message, the malicious script is executed. For example, with no input sanitization, a threat actor could type the following into a new post text field:
Denial of Service Attacks:
A denial of service (DoS) attack causes a service at a given host to fail or to become unavailable to legitimate users. Typically, a DoS attack tries to overload a service by bombarding it with spoofed requests. It is also possible for DoS attacks to exploit design failures or other vulnerabilities in application software to cause it to crash. Physical DoS refers to cutting the power to a computer or cutting a network cable. DoS attacks may simply be motivated by the malicious desire to cause trouble. DoS is also often used to mask a different type of attack. For example, a DoS attack against a web server might be used to occupy the security team when the threat actor's real goal is stealing information from a database server.
QUIZ: What type of cryptographic key is delivered in a digital certificate?
A digital certificate is a wrapper for a subject's public key. The public and private keys in an asymmetric cipher are paired. If one key is used to encrypt a message, only the other key can then decrypt it.
Digital Signatures:
A digital signature proves that a message or digital certificate has not been altered or spoofed. The sender computes a cryptographic hash of a message, encrypts the hash with his or her private key, and attaches the output to the message as a digital signature. When the recipient receives the message, she or he can decrypt the signature using the public key to obtain the sender's hash. The recipient then computes her or his own hash of the message and compares the two values to confirm they match.
Cryptographic Hashes:
A hash is a short representation of data. A hash function takes any amount of data as input and produces a fixed-length value as output. A cryptographic hash performs this process as a one-way function that makes it impossible to recover the original value from the hash. Cryptographic hashes are used for secure storage of data where the original meaning does not have to be recovered (passwords, for instance). Two of the most used cryptographic hash algorithms are Secure Hash Algorithm (SHA) and Message Digest (MD5). MD5 is the older algorithm and is gradually being phased out of use.
Non-Compliant Systems: A configuration baseline is a set of recommendations for deploying a computer in a hardened configuration to minimize the risk that there could be vulnerabilities. There are baselines for different operating systems and for different server and client roles. For example, a web server would have a different configuration baseline than a file server would have. The basic principle of a configuration baseline is to reduce the system's attack surface. The attack surface is all the points a threat actor could try to use to infiltrate or disrupt the system.
A non-compliant system is one that has drifted from its hardened configuration. A vulnerability scanner is a class of software designed to detect non-compliant systems.
QUIZ: A threat actor crafts an email addressed to a senior support technician inviting him to register for free football coaching advice. The website contains password-stealing malware. What is the name of this type of attack?
A phishing attack tries to make users authenticate with a fake resource, such as a website. Phishing emails are often sent in mass as spam. This is a variant of phishing called spear phishing because it is specifically targeted at a single person, using personal information known about the subject (his or her football-coaching volunteer work).
Shoulder Surfing:
A shoulder surfing attack means that the threat actor learns a password or PIN (or other secure information) by watching the user type it. Despite the name, the attacker may not have to be in proximity to the target—they could use high-powered binoculars or CCTV to directly observe the target remotely, for instance.
Spoofing Threats:
A spoofing threat is any type of attack where the threat actor can masquerade as a trusted user or computer. Spoofing can mean cloning a valid MAC or IP address, using a false digital certificate, creating an email message that imitates a legitimate one, or performing social engineering by pretending to be someone else. Spoofing can also be performed by obtaining a logical token or software token. A logical token is assigned to a user or computer during authentication to some service. A token might be implemented as a web cookie, for instance. If an attacker can steal the token and the authorization system has not been designed well, the attacker may be able to present the token again and impersonate the original user. This type of spoofing is also called a replay attack.
Symmetric Encryption:
A symmetric encryption cipher uses a single secret key to both encrypt and decrypt data. The secret key is so-called because it must be kept secret. If the key is lost or stolen, the security is breached. Consequently, the main problem with symmetric encryption is secure distribution and storage of the key. This problem becomes exponentially greater the more widespread the key's distribution needs to be. The main advantage is speed. A symmetric cipher, such as the Advanced Encryption Standard (AES), can perform bulk encryption and decryption of multiple streams of data efficiently.
SQL Injection Attacks:
A web application is likely to use Structured Query Language (SQL) to read and write information from a database. SQL statements perform operations such as selecting data (SELECT), inserting data (INSERT), deleting data (DELETE), and updating data (UPDATE). In a SQL injection attack, the threat actor modifies one or more of these four basic functions by adding code to some input accepted by the app, causing it to execute the attacker's own set of SQL queries or parameters. If successful, this could allow the attacker to extract or insert information into the database or execute arbitrary code on the remote system using the same privileges as the database application. For example, consider a web form that is supposed to take a name as input. If the user enters "Bob", the application runs the following query: -SELECT * FROM tbl_user WHERE username = 'Bob'
Asymmetric Encryption:
An asymmetric encryption cipher uses a key pair. A key pair is a private key and a public key that are mathematically linked. For any given message, either key can perform either the encrypt or decrypt operation but not both. Only the paired key can reverse the operation. For example, if the public key part is used to encrypt a message, only the linked private key can be used to decrypt it. The public key cannot decrypt what it has just encrypted. The private key must be kept a secret known only to a single subject (user or computer). The public key can be widely and safely distributed to anyone with whom the subject wants to communicate. The private key cannot be derived from the public key.
Evil Twin:
An evil twin attack is similar to phishing but instead of an email, the attacker uses a rogue wireless access point to try to harvest credentials. An evil twin might have a similar network name (SSID) to the legitimate one, or the attacker might use some denial of service (DoS) technique to overcome the legitimate AP. The evil twin might be able to harvest authentication information from users entering their credentials by mistake. For example, the evil twin might allow devices to connect via open authentication and then redirect users' web browsers to a spoofed captive portal that prompts them for their network password.
External vs. Internal Threats:
An external threat actor is one who has no account or authorized access to the target system. A malicious external threat actor must infiltrate the security system using malware and/or social engineering. Note that an external actor may perpetrate an attack remotely or on-premises (by breaking into the company's headquarters, for instance). It is the threat actor who is defined as external, rather than the attack method. Conversely, an insider threat actor is one who has been granted permissions on the system. This typically means an employee, but insider threat can also arise from contractors and business partners. It is important to realize that insider threat can be either malicious or non-malicious. An example of malicious insider threat is a disgruntled or corrupt employee trying to damage or steal confidential company data. An example of non-malicious insider threat is a technician setting up a Minecraft server on one of the company's computers, exposing it to unnecessary risk.
On Path Attacks:
An on-path attack is a specific type of spoofing where the threat actor can covertly intercept traffic between two hosts or networks. This allows the threat actor to read and possibly modify the packets. An on-path attack is often designed to try to recover password hashes. An evil twin is one example of an on-path attack.
QUIZ: Confidentiality and integrity are two important properties of information stored in a secure retrieval system. What is the third property?
Availability—information that is inaccessible is not of much use to authorized users. For example, a secure system must protect against denial of service (DoS) attacks.
QUIZ: A threat actor recovers some documents via dumpster diving and learns that the system policy causes passwords to be configured with a random mix of different characters that are only five characters in length. To what type of password cracking attack is this vulnerable?
Brute force attacks are effective against short passwords. Dictionary attacks depend on users choosing ordinary words or phrases in a password.
QUIZ: True or false? The level of risk from zero-day attacks is only significant with respect to EOL systems
False. A zero-day is a vulnerability that is unknown to the product vendor and means that no patch is available to mitigate it. This can affect currently supported as well as unsupported end-of-life (EOL) systems. The main difference is that there is a good chance of a patch being developed if the system is still supported, but almost no chance if it is EOL.
Footprinting Threats:
Footprinting is an information-gathering threat in which the attacker attempts to learn about the configuration of the network and security systems. A threat actor will perform reconnaissance and research about the target, gathering publicly available information, scanning network ports and websites, and using social engineering techniques to try to discover vulnerabilities and ways to exploit the target.
Threat Types:
Historically, cybersecurity techniques were highly dependent on the identification of "static" -known threats , such as computer viruses. This type of threat leaves a programming code signature in the file that it infects that is relatively straightforward to identify with automated scanning software. Unfortunately, adversaries were able to develop means of circumventing this type of signature-based scanning. The sophisticated nature of modern cybersecurity threats means that it is important to be able to describe and analyze behaviors. This behavioral analysis involves identifying the attributes of threat actors in terms of location, intent, and capability.
Impersonation:
Impersonation means that the social engineer develops a pretext scenario to give himself or herself an opportunity to interact with an employee. A classic impersonation pretext is for the threat actor to phone into a department pretending to be calling from IT support, claim something must be adjusted on the user's system remotely, and persuade the user to reveal his or her password. For this type of pretexting attack to succeed, the social engineer must gain the employee's trust or use intimidation or hoaxes to frighten the employee into complying.
You will also come across the term cybersecurity. Where information security relates to ensuring data is stored and processed with CIA attributes in electronic or printed formats, cybersecurity refers specifically to controls that protect against attacks on computer storage and processing systems.
Information security and cybersecurity are assured by developing security policies and controls. Making a system more secure is also referred to as hardening it. Different security policies should cover every aspect of an organization's use of computer and network technologies, from procurement and change control to acceptable use. As part of this process, security teams must perform assessments to determine how secure a network is. These assessments involve vulnerabilities, threats, and risk: -Vulnerability is a weakness that could be accidentally triggered or intentionally exploited to cause a security breach. -Threat is the potential for someone or something to exploit a vulnerability and breach security. A threat may be intentional or unintentional. The person or thing that poses the threat is called a threat actor or threat agent. The path or tool used by a malicious threat actor can be referred to as the attack vector or threat vector. -Risk is the likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
Key Exchange:
Key exchange allows two hosts to know the same symmetric encryption key without any other host finding out what it is. A symmetric cipher is much faster than an asymmetric one, so it is often used to protect the actual data exchange in a session. Asymmetric encryption only operates efficiently on data that is smaller than the key size. This makes it well-suited to encrypt and exchange symmetric cipher keys. The sender uses the recipient's public key to encrypt a secret key. The recipient uses the private key to retrieve the secret key and then uses the secret key to decrypt whatever data message was transmitted by the sender. In this context, the symmetric cipher secret key is also referred to as a session key. If it is changed often, it is also referred to as an ephemeral key.
Cross-Site Scripting Attacks:
Many network services are now deployed as web applications. The web application is deployed as script code running on an HTTP/HTTPS web server. This is referred to as server-side code. The web application is accessed by a web browser client. The web app might run scripts on the browser too. This is referred to as client-side code. Most applications depend on user input. One of the most widespread vulnerabilities in web apps is failure to validate this input properly. For example, the user might need to sign in using an email address and password, so the web app presents two text-box fields for the user to input those values. If a threat actor can send a script via the username field and make the server or client execute that code, the web app has an input validation vulnerability,
Distributed DoS Attacks and Botnets:
Network-based DoS attacks are normally accomplished by flooding the server with bogus requests. They rely on the attacker having access to greater bandwidth than the target or on the target being required to devote more resources to each connection than the attacker. This type of bandwidth-directed DoS attack is usually perpetrated as distributed DoS (DDoS) . DDoS means that the attacks are launched from multiple compromised systems, referred to as a botnet. To establish a botnet, the threat actor will first compromise one or two machines to use for command & control (C&C). The C&C hosts are used to compromise hundreds or thousands of devices by installing bots on them via automated exploits or successful phishing attacks. A bot establishes a persistent remote-control channel with the C&C hosts. This allows the threat actor to launch coordinated attacks using all the devices in the botnet.
Password Attacks:
On-path and malware attacks can be difficult to perpetrate. Many network intrusions occur because a threat actor simply obtains credentials to access the network. Also, when threat actors gains some sort of access via an on-path or malware attack, they are likely to attempt to escalate privileges to gain access to other targets on the network by harvesting credentials for administrative accounts. A plaintext password can be captured by obtaining a password file or by sniffing unencrypted traffic on the network. If the protocol does not use encryption, then the threat actor can simply read the password string from the captured frames. In most cases, a password is stored and transmitted more securely by making a cryptographic hash of the string entered by the user. A cryptographic hash algorithm produces a fixed-length string from a variable-length string using a one-way function. This means that, in theory, no one except the user (not even the system administrator) knows the password, because the plaintext should not be recoverable from the hash.
Phishing:
Phishing uses social engineering techniques to make spoofed electronic communications seem authentic to the victim. A phishing message might try to convince the user to perform some action, such as installing malware disguised as an antivirus program or allow a threat actor posing as a support technician to establish a remote access connection. Other types of phishing campaign use a spoof website set up to imitate a bank or e‑commerce site or some other web resource that should be trusted by the target. The attacker then emails users of the genuine website, informing them that their account must be updated. Or, with some sort of hoax alert or alarm, the attacker supplies a disguised link that leads to the spoofed site. When users authenticate with the spoofed site, their logon credentials are captured. Some phishing variants are referred to by specific names: -Spear phishing occurs when the attacker has some information that makes the target more likely to be fooled by the attack. The threat actor might know the name of a document that the target is editing, for instance, and send a malicious copy, or the phishing email might show that the attacker knows the recipient's full name, job title, telephone number, or other details that help to convince the target that the communication is genuine. -Whaling is an attack directed specifically against upper levels of management in the organization (CEOs and other "big catches"). Upper management may also be more vulnerable to ordinary phishing attacks because of their reluctance to learn basic security procedures. -Vishing is conducted through a voice channel (telephone or VoIP, for instance). For example, targets could be called by someone purporting to represent their bank asking them to verify a recent credit card transaction and requesting their security details. It can be much more difficult for someone to refuse a request made in a phone call compared to one made in an email.
Tailgating and Piggybacking:
Tailgating is a means of entering a secure area without authorization by following closely behind the person who has been allowed to open the door or checkpoint. Piggybacking is a similar situation but means that the attacker enters a secure area with an employee's permission. For instance, an attacker might impersonate a member of the cleaning crew and request that an employee hold the door open while the attacker brings in a cleaning cart or mop bucket. Another technique is to persuade someone to hold a door open, using an excuse such as "I've forgotten my badge (or key)."
QUIZ: You are assisting with the development of end-user security awareness documentation. What is the difference between tailgating and shoulder surfing?
Tailgating means following someone else through a door or gateway to enter premises without authorization. Shoulder surfing means covertly observing someone type a PIN or password or other confidential data.
QUIZ: You discover that a threat actor has been able to harvest credentials from some visitors connecting to the company's wireless network from the lobby. The visitors had connected to a network named "Internet" and were presented with a web page requesting an email address and password to enable guest access. The company's access point had been disconnected from the cabled network. What type of attack has been perpetrated?
This is an evil twin attack where the threat actor uses social engineering techniques to persuade users to connect to an access point that spoofs a legitimate guest network service.
Dumpster Diving:
To make a pretext seem genuine, the threat actor must obtain privileged information about the organization or about an individual. For example, an impersonation pretext is much more effective if the attacker knows the user's name. As most companies are set up toward customer service rather than security, this information is typically easy to come by. Information that might seem innocuous, such as department employee lists, job titles, phone numbers, diary appointments, invoices, or purchase orders, can help an attacker penetrate an organization through impersonation. Another way to obtain information that will help to make a social engineering attack credible is by obtaining documents that the company has thrown away. Dumpster diving refers to combing through an organization's (or individual's) garbage to try to find useful documents. Attackers may even find files stored on discarded removable media.