Conklin Sec+ Ch. 1 - 5

What is the name given to the group of individuals who not only have the ability to write scripts that exploit vulnerabilities but also are capable of discovering new vulnerabilities?

A.

Which of the following are reasons that the insider threat is considered so dangerous? (Choose all that apply.) A. Insiders have the access and knowledge necessary to cause immediate damage to an organization. B. Insiders may actually already have all the access they need to perpetrate criminal activity such as fraud. C. Insiders generally do not have knowledge of the security systems in place, so system monitoring will allow for any inappropriate activity to be detected. D. Attacks by insiders are often the result of employees who have become disgruntled with their organization and are looking for ways to disrupt operations.

ABD

Tools can be classified as active or passive. (describe)

Active tools interact with a target system in a fashion where their use can be detected. Scanning a network with Nmap (Network Mapper) is an active act that can be detected. In the case of Nmap, the tool may not be specifically detectable, but its use, the sending of packets, can be detected. When you need to map out your network or look for open services on one or more hosts, a port scanner is probably the most efficient tool for the job. Passive tools are those that do not interact with the system in a manner that would permit detection, as in sending packets or altering traffic. An example of a passive tool is Tripwire, which can detect changes to a file based on hash values. Another passive example is the OS mapping by analyzing TCP/IP traces with a tool such as Wireshark. Passive sensors can use existing traffic to provide data for analysis.

What is the term used to define attacks that are characterized by using toolkits to achieve a presence on a target network, with a focus on the long game—maintaining a persistence on the target network?

Advanced persistent threat

Describe ping of death (POD)

Another simple DoS attack is the infamous ping of death (POD), and it illustrates the other type of attack—one targeted at a specific application or operating system, as opposed to SYN flooding, which targets a protocol. In the POD attack, the attacker sends an Internet Control Message Protocol (ICMP) ping packet equal to, or exceeding, 64KB (which is to say, greater than 64 × 1024 = 65,536 bytes). This type of packet should not occur naturally (there is no reason for a ping packet to be larger than 64KB). Certain systems are not able to handle this size of packet, and the system will hang or crash.

Which of the following are true concerning attacker skill and sophistication? (Choose all that apply.) A. The level of complexity for modern networks and operating systems has grown so that it is nearly impossible for anyone but the most skilled of hackers to gain unauthorized access to computer systems and networks. B. Attackers do not have magic skills, but rather the persistence and skill to keep attacking weaknesses. C. With the introduction of cloud computing during the last decade, attackers now primarily focus on the cloud, thus reducing the level of sophistication required to conduct attacks since they can focus on a more limited environment. D. There is a surprising number of attacks being performed using old attacks, old vulnerabilities, and simple methods that take advantage of "low-hanging fruit."

BD

Attacks by individuals from organized crime are generally considered to fall into which threat category? A. Highly structure threatsB. Unstructured threatC. Structured threatD. Advanced persistent threat

C

You are attempting to perform an external vulnerability assessment for a client, but your source IP addresses keep getting blocked every time you attempt to run a vulnerability scan. The client confirms this is "as expected" behavior. You aren't able to scan for vulnerabilities, but you have been able to do which of the following? A. Identify vulnerability controlsB. Identify common misconfigurationsC. Passively test security controlsD. All of the above

C

Your organization's web server was just compromised despite being protected by a firewall and IPS. The web server is fully patched and properly configured according to industry best practices. The IPS logs show no unusual activity, but your network traffic logs show an unusual connection from an IP address belonging to a university. What type of attack is most likely occurring? A. Cross-site scripting attackB. Authority attackC. Zero day attackD. URL hijacking attack

C. If a "properly secured" and patched system is suddenly compromised, it is most likely the result of a zero day attack. A zero day attack is one that uses a vulnerability for which there is no previous knowledge outside of the attacker.

Describe Cross-Site Request Forgery

Cross-site request forgery (XSRF) attacks utilize unintended behaviors that are proper in defined use but are performed under circumstances outside the authorized use. This is an example of a "confused deputy" problem, a class of problems where one entity mistakenly performs an action on behalf of another. An XSRF attack relies upon several conditions to be effective. It is performed against sites that have an authenticated user and exploits the site's trust in a previous authentication event. Then, by tricking a user's browser to send an HTTP request to the target site, the trust is exploited. Assume your bank allows you to log in and perform financial transactions, but does not validate the authentication for each subsequent transaction. If a user is logged in and has not closed their browser, then an action in another browser tab could send a hidden request to the bank, resulting in a transaction that appears to be authorized but in fact was not done by the user.There are many different mitigation techniques that can be employed, from limiting authentication times, to cookie expiration, to managing some specific elements of a web page like header checking. The strongest method is the use of random XSRF tokens in form submissions. Subsequent requests cannot work, as the token was not set in advance. Testing for XSRF takes a bit more planning than for other injection-type attacks, but this, too, can be accomplished as part of the design process.

Attacks by an individual or even a small group of attackers fall into which threat category? A. Unorganized threatB. APTC. Singular threat D. Hactivist

D. (D. Attacks by an individual or even a small group of attackers fall into the hactivist threat category. Attacks by criminal organizations usually fall into the structured threat category. The other two answers are not categories of threats used by the security community.)

(other than buffer overflow) Other forms of memory vulnerabilities include (2)

DLL injections, where additional code can be put into a program's memory space and used, and issues associated with pointers, including pointer errors, commonly associated with dereference errors.

DNS poisoning is a variant of a larger attack class referred to as

DNS spoofing. In DNS spoofing, an attacker changes a DNS record through any of a multitude of means. There are many ways to perform DNS spoofing, a few of which include compromising a DNS server, the use of the Kaminsky attack, and the use of a false network node advertising a false DNS address. An attacker can even use DNS cache poisoning to result in DNS spoofing. By poisoning an upstream DNS cache, all of the downstream users will get spoofed DNS records.

DOM stands for

Document Object Model (DOM)

Describe Domain Hijacking

Domain hijacking is the act of changing the registration of a domain name without the permission of its original registrant. Technically a crime, this act can have devastating consequences because the DNS system will spread the false domain location far and wide automatically. The original owner can request it to be corrected, but this can take time.

Describe DLL Injection

Dynamic link libraries (DLLs) are pieces of code that can add functionality to a program through the inclusion of library routines linked at run time. DLL injection is the process of adding to a program at run time a DLL that has a specific vulnerability of function that can be capitalized upon by an attacker. A good example of this is Microsoft Office, a suite of programs that use DLLs loaded at run time. Adding an "evil" DLL in the correct directory, or via a registry key, can result in "additional functionality" being incurred.

A similar mistake to attempting to develop your own cryptographic algorithm is to attempt to write your own implementation of a known cryptographic algorithm. (describe)

Errors in coding implementations are common and lead to weak implementationsof secure algorithms that are vulnerable to bypass. Do not fall prey to creating a weak implementation; instead, use a proven, vetted cryptographic library.

Criminal activity on the Internet at its most basic is no different from criminal activity in the physical world. __(5) all take place in the electronic environment.

Fraud, extortion, theft, embezzlement, and forgery

What term is used to describe the type of threat that is characterized by a much longer period of preparation (years is not uncommon), tremendous financial backing, and a large and organized group of attackers?

Highly structured threat

There are several major sources besides the wide range of open source feeds. Examples include Information Sharing and Analysis Organizations (ISAOs) and Information Sharing Analysis Centers (ISACs). (describe)

ISAOs vary greatly in capability but essentially include any organization, whether an industry sector or geographic region, that is sharing cyber-related information for the purpose of enhancing their members' cybersecurity posture. ISACs are a special category of ISAO consisting of privately run, but government approved, industry-based cybersecurity. ISACs may be considered fusion centers where real-time information can be shared between members. ISAOs and ISACs work on a very simple premise: share what is happening to you, and together learn what is happening in your industry. The sharing is anonymized, the analysis is performed by highly skilled workers in a security operations center, and the resulting information is fed back to members as close to real time as possible. Highly skilled analysts are expensive, and this mechanism shares the costs across all of the member institutions. A U.S. government program, InfraGard, is run by the FBI and also acts as a means of sharing, although timeliness and level of analysis are nowhere near that of an ISAC, but the price is right (free).

The __ is the primary reason for the weaknesses in WEP.

IV (The IV is sent in the plaintext part of the message, and because the total keyspace is approximately 16 million keys, the same key will be reused. Once the key has been repeated, an attacker has two ciphertexts encrypted with the same key stream. This allows the attacker to examine the ciphertext and retrieve the key. This attack can be improved by examining only packets that have weak IVs, reducing the number of packets needed to crack the key. Using only weak IV packets, the number of required captured packets is reduced to around four or five million, which can take only a few hours to capture on a fairly busy access point (AP).)

Warfare conducted against the information and information processing equipment used by an adversary is known as which of the following?

Information warfare

Social engineering techniques: Familiarity

People do things for people they like or feel connected to. Building this sense offamiliarity and appeal can lead to misplaced trust. The social engineer can focus the conversation on familiar items, not the differences. Again, leading with persuasion that one has been there before and done something, even if they haven't, for perception will lead to the desired familiar feeling.

Describe Pointer Dereference

Some computer languages use a construct referred to as a pointer, a variable that refers to the memory location that holds a variable as opposed to the value in the memory location. To get the value at the memory location denoted by a pointer variable, one must dereference the pointer. The act of pointer dereference now changes the meaning of the object to the contents of the memory location, not the memory location as identified by the pointer. Pointers can be very powerful and allow fast operations across a wide range of structures. But they can also be dangerous, as mistakes in their use can lead to unexpected consequences. When a programmer uses user inputs in concert with pointers, for example, lets the user pick a place in an array, and uses a pointer to reference the value, mistakes in the input validation can lead to errors in pointer dereference, which may or may not trigger an error, as the location will contain data and it will be returned.

Describe polymorphic malware

The detection of malware by anti-malware programs is primarily done through the use of a signature. Files are scanned for sections of code in the executable that act as markers, unique patterns of code that enable detection. Just as the human body creates antigens that match marker proteins, anti-malware programs detect malware through unique markers present in the code of the malware. Malware writers are aware of this functionality and have adapted methods to defeat it. One of the primary means of avoiding detection by sensors is the use of polymorphic code, which is code that changes on a regular basis. These changes or mutations are designed not to affect the functionality of the code, but rather to mask any signature from detection. Polymorphic malware is malware that can change its code after each use, making each replicant different from a detection point of view.

Describe Man-in-the-Browser

The man-in-the-browser (MitB) attack is a variant of a man-in-the-middle attack. In a MitB attack, the first element is a malware attack that places a Trojan element that can act as a proxy on the target machine. This malware changes browser behavior through browser helper objects or extensions. When a user connects to their bank, the malware recognizes the target (a financial transaction) and injects itself in the stream of the conversation. When the user approves a transfer of $150 to pay a utility bill, for example, the malware intercepts the user's keystrokes and modifies them to perform a different transaction.

Social engineering techniques: Authority

The use of authority in social situations can lead to an environment where one party feels at risk in challenging another over an issue. If an attacker can convince a target that he has authority in a particular situation, he can entice the target to act in a particular manner or risk adverse consequences. In short, if you act like a boss when requesting something, people are less likely to withhold it.

What term is used to describe the gathering of information from a variety of sources, including non-public sources, to allow an entity to properly focus their defenses against the most likely threat actors?

Threat intelligence

Describe Vulnerable Business Processes

Virtually all work is a combination of technology, people, and processes. Just as technology and users often have vulnerabilities that can be comprised, as previously discussed, vulnerable business processes are subject to compromise. When a business process that contains an inherent vulnerability is automated, then all that automation can do is increase the speed of the failure. A simple example would be paying an invoice without matching it to an approved purchase order. A common form of fraud is to send an invoice to an organization for goods or services that were not provided, typically for something common like office supplies. If someone in the organization processes the invoice for payment without verifying that the organization ordered and received the supplies, then this is clearly a business process failure. If the payment process is automated and works similarly, the vulnerability is even greater.

While auditing an organization, you discover that new users are added to the domain by sending an e-mail request to the IT department, but the e- mails don't always come from Human Resources, and IT doesn't always check with HR to ensure the new user request corresponds to an authorized user. This is an example of which of the following?

Vulnerable business process

Describe Armored Virus

When a new form of malware/virus is discovered, antivirus companies and security researchers will decompile the program in an attempt to reverse engineer its functionality. Much can be determined from reverse engineering, such as where the malware came from, how it works, how it communicates, how it spreads, and so forth. Armoring malware can make the process of determining this information much more difficult, if not impossible. Some malware, such as the Zeus Trojan, employs encryption in ways to prevent criminals from stealing the intellectual property of the very malware that they use.

SQL injection attacks involve the manipulation of input, resulting in a SQL statement that is different than intended by the designer. __ and __ injections are done in the same fashion.

XML; LDAP

Attacks by criminal organizations usually fall into the structured threat category, which is characterized by (4)

a greater amount of planning, a longer period of time to conduct the activity, more financial backing to accomplish it, and possibly corruption of, or collusion with, insiders.

Many nations today have developed to some extent the capability to conduct information warfare. There are several definitions for information warfare, but a simple one is that it is warfare conducted against the information and information processing equipment used by an adversary. In practice, this is a much more complicated subject, because information not only may be the target of an adversary, but also may be used as a weapon. Whatever definition you use, information warfare falls into the highly structured threatcategory. This type of threat is characterized by (4)

a much longer period of preparation (years is not uncommon), tremendous financial backing, and a large and organized group of attackers. The threat may include attempts not only to subvert insiders but also to plant individuals inside of a potential target in advance of a planned attack.

RFID tags come in several different forms and can be classified as either (describe)

active or passive. Active tags have a power source, while passive tags utilize the RF energy transmitted to them for power. RFID tags are used as a means of identification, and have the advantage over bar codes that they do not have to be visible, just within radio wave range, typically centimeters to 200 meters depending upon tag type. RFID tags are used in a range of security situations including contactless identification systems such as smart cards.

"Secure by Default" is

an initiative by Microsoft to ensure that all of its systems are designed to be secure by default when installed and operated. systems are designed to be secure by default when installed and operated. One of the key elements of this initiative is to force the system installer to provide unique and secure credentials upon installation. This prevents the misconfiguration by omission issue (discussed in the previous section) that enables attackers to reuse default admin credentials to gain admin- or root-level control over a system

Black box software testing techniques are very useful for examining

any web- based application. Web-based applications are typically subjected to a barrage of valid, invalid, malformed, and malicious input from the moment they are exposed to public traffic. By performing black box testing before an application is released, developers can potentially find and correct errors in the development or testing stages.

Generally, attacks by an individual or even a small group of attackers fall into the unstructured threat category. Attacks at this level generally (4)

are conducted over short periods of time (lasting at most a few months), do not involve a large number of individuals, have little financial backing, and are accomplished by insiders or outsiders who do not seek collusion with insiders.

In a DDoS attack, service is denied by overwhelming the target with traffic from many different systems. A network of __ (sometimes called zombies) is created by the attacker

attack agents

From a high-level standpoint, attacks on computer systems and networks can be grouped into two broad categories:

attacks on specific software (such as an application or the operating system) and attacks on a specific protocol or service.

Input validation is especially well suited for the following vulnerabilities: (6)

buffer overflow, reliance on untrusted inputs in a security decision, cross-site scripting (XSS), cross-site request forgery (XSRF), path traversal, and incorrect calculation of buffer size.

How can you stop or mitigate the effects of a DoS or DDoS attack? One important precaution is to ensure that you have applied the latest patches and updates to your systems and the applications running on them. Once a specific vulnerability is discovered, it does not take long before multiple exploits are written to take advantage of it. Generally, you will have a small window of opportunity in which to patch your system between the time the vulnerability is discovered and the time exploits become widely available. A vulnerability can also be discovered by hackers, and exploits provide the first clues that a system has been compromised. Attackers can also reverse-engineer patches to learn what vulnerabilities have been patched, allowing them to attack unpatched systems. Another approach involves

changing the time-out option for TCP connections so that attacks such as the SYN flooding attack are more difficult to perform, because unused connections are dropped more quickly.

Although there are no patches for zero day vulnerabilities, you can use __ to mitigate the risk.

compensating controls

EXAM TIP Zero day threats have become a common topic in the news and are a likely target for exam questions. Keep in mind that defenses exist, such as

compensating controls, which are controls that mitigate the risk indirectly; for example, a mitigating control may block the path to the vulnerability rather than directly address the vulnerability.

DNS poisoning is a variant of a larger attack class referred to as DNS spoofing. In DNS spoofing, an attacker changes a DNS record through any of a multitude of means. There are many ways to perform DNS spoofing, a few of which include (4)

compromising a DNS server, the use of the Kaminsky attack, and the use of a false network node advertising a false DNS address. An attacker can even use DNS cache poisoning to result in DNS spoofing. By poisoning an upstream DNS cache, all of the downstream users will get spoofed DNS records.

RFID tags are used in a range of security situations including

contactless identification systems such as smart cards.

There are several standards associated with securing the RFID data flow, including ISO/IEC 18000 and ISO/IEC 29167 for __(4), while ISO/IEC 20248 specifies a

cryptography methods to support confidentiality, untraceability, tag and reader authentication, and over-the-air privacy; digital signature data structure for use in RFID systems.

Logic bombs, unlike viruses and Trojans, are a type of malicious software that is

deliberately installed, generally by an authorized user.

Some computer languages use a construct referred to as a pointer, a variable that refers to the memory location that holds a variable as opposed to the value in the memory location. To get the value at the memory location denoted by a pointer variable, one must

dereference the pointer. The act of pointer dereference now changes the meaning of the object to the contents of the memory location, not the memory location as identified by the pointer.

Passive tools are those that do not interact with the system in a manner that would permit detection, as in sending packets or altering traffic. An example of a passive tool is Tripwire, which can

detect changes to a file based on hash values.

When a machine sends an ARP request to the network, the reply is received and entered into all

devices that hear the reply.

Because of the importance of integrity on DNS requests and responses, a project has begun to secure the DNS infrastructure using

digital signing of DNS records. This project, initiated by the U.S. government and called Domain Name System Security Extensions (DNSSEC), works by digitally signing records.

The best way to prevent replay attacks is with (3)

encryption, cryptographic authentication, and time stamps.

Buffer overflows typically inherit the level of privilege...

enjoyed by the program being exploited. This is why programs that use root-level access are so dangerous when exploited with a buffer overflow, as the code that will execute does so at root-level access.

EXAM TIP Five types of rootkits exist:

firmware, virtual, kernel, library, and application level.

Bluejacking: As Bluetooth is a short- range protocol, the attack and victim must be within roughly 10 yards of each other. The victim's phone must also

have Bluetooth enabled and must be in discoverable mode.

Many nations today have developed to some extent the capability to conduct information warfare. There are several definitions for information warfare, but a simple one is that it is warfare conducted against the information and information processing equipment used by an adversary. In practice, this is a much more complicated subject, because information not only may be the target of an adversary, but also may be used as a weapon. Whatever definition you use, information warfare falls into the __ threat category.

highly structured

IOC stands for

indicator of compromise

When computer programs take inputs for a variable, they are put into buffers in memory. These buffers are located where the variable is stored in memory, so when the program needs to reference the value of a variable, it uses the memory location to obtain the value. Some languages, referred to as type safe, verify the length of an input before assigning it to the memory location. Other languages, such as C/C++, rely upon the programmer to handle this verification task. When this task is not properly performed, there exists a chance to overwrite the allocated area in memory, potentially corrupting other values of other variables, and certainly not storing what was requested in the variable in question. This is amemory/buffer vulnerability and it can exist in software without issue until input that exceeds the allocated space is received. Then the memory/buffer vulnerability becomes an __ or __ error.

input overflow; buffer overflow

Black box testing is a software-testing technique that consists of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. Black box techniques test the functionality of the software, usually from an external or user perspective. Testers using black box techniques typically have no knowledge of the internal workings of the software they are testing. They treat the entire software package as a "black box"—they put input in and look at the output. They have no visibility into how the data is processed inside the application, only the output that comes back to them. Test cases for black box testing are typically constructed around

intended functionality (what the software is supposed to do) and focus on providing both valid and invalid inputs.

Is intrusive or nonintrusive vulnerability scan more accurate in the actual determination of a vulnerability?

intrusive is more accurate

As covered in Chapter 3, APTs place two elements at the forefront of all activity:

invisibility from defenders and persistence.

Unlike a virus, which reproduces by attaching itself to other files or programs, a Trojan

is a stand-alone program that must be copied and installed by the user—it must be "brought inside" the system by an authorized user. The challenge for the attacker is enticing the user to copy and run the program. This generally means that the program must be disguised as something that the user would want to run—a special utility or game, for example.

As nations have increasingly become dependent on computer systems and networks, the possibility that these essential elements of society might be targeted by organizations or nations determined to adversely affect another nation has become a reality. Many nations today have developed to some extent the capability to conduct information warfare. There are several definitions for information warfare, but a simple one is that

it is warfare conducted against the information and information processing equipment used by an adversary. In practice, this is a much more complicated subject, because information not only may be the target of an adversary, but also may be used as a weapon. Whatever definition you use, information warfare falls into the highly structured threatcategory. This type of threat is characterized by a much longer period of preparation (years is not uncommon), tremendous financial backing, and a large and organized group of attackers. The threat may include attempts not only to subvert insiders but also to plant individuals inside of a potential target in advance of a planned attack.

Because of the importance of integrity on DNS requests and responses, a project has begun to secure the DNS infrastructure using digital signing of DNS records. This project, initiated by the U.S. government and called Domain Name System Security Extensions (DNSSEC), works by digitally signing records. This is done by adding records to the DNS system... a

key and a signature attesting to the validity of the key. With this information, requestors can be assured that the information they receive is correct. It will take a substantial amount of time (years) for this new system to propagate through the entire DNS infrastructure, but in the end, the system will have much greater assurance.

The changing of where DNS is resolved can be a DNS poisoning attack. The challenge in detecting these attacks is

knowing what the authoritative DNS entry should be, and detecting when it changes in an unauthorized fashion.

Threat actors can be divided into groups based on abilities, as shown previously in the chapter. There are other ways to differentiate the threat actors, by (4)

location, internal or external, by level of sophistication, level of resources, and intent.

The detection of malware by anti-malware programs is primarily done through the use of a signature. Files are scanned for sections of code in the executable that act as __, unique patterns of code that enable detection.

markers

Cross-site request forgery (XSRF) attacks utilize unintended behaviors that are proper in defined use but are performed under circumstances outside the authorized use. This is an example of a "confused deputy" problem, a class of problems where

one entity mistakenly performs an action on behalf of another.

Exam tip: Race conditions can be used for__ and __ attacks.

privilege elevation; denial-of- service

Hijack attacks generally are used against web and Telnet sessions. Sequence numbers as they apply to spoofing also apply to session hijacking, since the hijacker will need to

provide the correct sequence numbers to continue the appropriate sessions.

EXAM TIP: Race conditions can be used for privilege elevation and denial-of- service attacks. Programmers can use __(3) to prevent race conditions.

reference counters, kernel locks, and thread synchronization

There are several different attack types that can be performed against RFID systems: • Against the RFID devices themselves, the chips and readers• Against the communication channel between the device and the reader • Against the reader and back-end system The last type is more of a standard IT/IS attack depending upon the interfaces used (web, database, etc.) and is not covered any further. Attacks against the communication channel are relatively easy because the radio frequencies are known and devices exist to interface with tags. Two main attacks are

replay and eavesdropping. In a replay attack, the RFID information is recorded and then replayed later. In the case of an RFID-based access badge, it could be read in a restaurant from a distance and then replayed at the appropriate entry point to gain entry. In the case of eavesdropping, the data can be collected, monitoring the movement of tags for whatever purpose needed by an unauthorized party. Both of these attacks are easily defeated using the ISO/IEC security standards previously listed.

Attacks by criminal organizations usually fall into the __ category

structured threat

EXAM TIP: As time passes, an enterprise may lose the ability to properly manage all of the (4)___ that have accumulated. This results in overprovisioning provisioned resources and is commonly known as system sprawl.

systems, devices, software, and data assets

Viruses were generally thought of as a system-based problem, and worms were network-based. If the malicious code is sent throughout a network, it may subsequently be called a worm. The important distinction, however, is whether

the code has to attach itself to something else (a virus) or if it can "survive" on its own (a worm).

Threat intelligence is

the gathering of information from a variety of sources, including non-public sources, to allow an entity to properly focus their defenses against the most likely threat actors.

Buffer overflows typically inherit the level of privilege enjoyed by

the program being exploited. This is why programs that use root-level access are so dangerous when exploited with a buffer overflow, as the code that will execute does so at root-level access.

At times, nslookup will return a nonauthoritative answer, as shown in Figure 2-6. This typically means

the result is from a cache as opposed to a server that has an authoritative (that is, known to be current) answer.

If a vulnerability scan is going to involve a lot of checks, the non- intrusive method can be advantageous, as

the servers may not have to be rebooted all the time.

One of the risks of embedded systems comes from

the software that is in the system yet separate from any update/patch methodology.

Controls to defend against XSS attacks include

the use of anti-XSS libraries to strip scripts from the input sequences. Various other ways to mitigate XSS attacks include limiting types of uploads and screening the size of uploads, whitelisting inputs, and so on, but attempting to remove scripts from inputs can be a tricky task. Well-designed anti-XSS input library functions have proven to be the best defense. Cross-site scripting vulnerabilities are easily tested for and should be a part of the test plan for every application. Testing a variety of encoded and unencoded inputs for scripting vulnerability is an essential test element.

XSRF: There are many different mitigation techniques that can be employed, from limiting authentication times, to cookie expiration, to managing some specific elements of a web page like header checking. The strongest method is

the use of random XSRF tokens in form submissions. Subsequent requests cannot work, as the token was not set in advance. Testing for XSRF takes a bit more planning than for other injection-type attacks, but this, too, can be accomplished as part of the design process.

Buffer overflow attacks are input validation attacks, designed to take advantage of input routines that do not validate the length of inputs. Surprisingly simple to resolve, all that is required is

the validation of all input lengths prior to writing to memory. This can be done in a variety of manners, including the use of safe library functions for inputs. This is one of the vulnerabilities that has been shown to be solvable, and in fact the prevalence is declining substantially among major security-conscious software firms.

Logic bombs, unlike viruses and Trojans, are a type of malicious software that is deliberately installed, generally by an authorized user. A logic bomb is a piece of code that sits dormant for a period of time until some event or date invokes its malicious payload. An example of a logic bomb might be a program that is set to load and run automatically, and that periodically checks an organization's payroll or personnel database for a specific employee. If the employee is not found, the malicious payload executes, deleting vital corporate files. If the event is a specific date or time, the program will often be referred to as a

time bomb.

Generally, attacks by an individual or even a small group of attackers fall into the __ category.

unstructured threat

Escalation of privilege is the movement from a lower-level account to an account that enables root-level activity. Typically, the attacker...

uses a normal user account to exploit a vulnerability on a process that is operating at root, enabling the attacker to assume the privileges of the exploited process—at root level. Once this level of privilege is achieved, the attacker takes additional steps to ensure persistent access back to the privileged level. With root access, things like log changes and other changes are possible, expanding the ability of the attacker to achieve their objective and to remove information, particularly logs that could lead to detection of the attack.

Another major advance in cyberattacks is the development of the advanced persistent threat (APT). APT attacks are characterized by

using toolkits to achieve a presence on a target network and then, instead of just moving to steal information, focusing on the long game, maintaining a persistence on the target network. The tactics, tools, and procedures of APTs are focused on maintaining administrative access to the target network and avoiding detection. Then, over the long haul, the attacker can remove intellectual property and more from the organization, typically undetected.

Rootkits can exist in firmware, and these have been demonstrated in both

video cards and expansion cards.

Cross-site scripting (XSS) is one of the most common web attack methodologies. The cause of the vulnerability is

weak user input validation. If input is not validated properly, an attacker can include a script in their input and have it rendered as part of the web process.

System sprawl is

when the systems expand over time, adding elements and functionality, and over time the growth and change exceeds the documentation. This addition of undocumented assets means that these specific assets are not necessarily included in plans for upgrades, security, etc. Enterprises inevitably end up with system sprawl and undocumented assets. What begins as correct, over time moves to complete failure to understand because we seldom manage the documentation of the architecture as built and deployed. As changes occur, we always seem to miss updating the diagrams, architectures, and rules associated with security. System sprawl occurs because we continually "improve" systems by adding functionality and frequently fail to update the architecture plans. The new elements that are not documented become undocumented assets and contribute to misunderstandings and issues when they are not considered for future changes. Undocumented assets also have a higher chance of becoming an unknown vulnerability primarily because of their undocumented status that precludes their inclusion in routine security checks.

How complicated the spoofing is depends heavily on several factors, including (2)

whether the traffic is encrypted and where the attacker is located relative to the target. Spoofing attacks from inside a network, for example, are much easier to perform than attacks from outside of the network, because the inside attacker can observe the traffic to and from the target and can do a better job of formulating the necessary packets. Formulating the packets is more complicated for external attackers because a sequence number is associated with TCP packets. A sequence number is a 32-bit number established by the host that is incremented for each packet sent. Packets are not guaranteed to be received in order, and the sequence number can be used to help reorder packets as they are received and to refer to packets that may have been lost in transmission. In the TCP three-way handshake, two sets of sequence numbers are created, as shown in Figure 2-10. The first system chooses a sequence number to send with the original SYN packet. The system receiving this SYN packet acknowledges with a SYN/ACK. It sends an acknowledgment number back, which is based on the first sequence number plus one (that is, it increments the sequence number sent to it by one). It then also creates its own sequence number and sends that along with it. The original system receives the SYN/ACK with the new sequence number. It increments the sequence number by one and uses it as the acknowledgment number in the ACK packet with which it responds. The difference in the difficulty of attempting a spoofing attack from inside a network and from outside involves determining the sequence number. If the attacker is inside of the network and can observe the traffic with which the target host responds, the attacker can easily see the sequence number the system creates and can respond with the correct sequence number. If the attacker is external to the network and the sequence number the target system generates is not observed, it is next to impossible for the attacker to provide the final ACK with the correct sequence number. So the attacker has to guess what the sequence number might be.

There are several different attack types that can be performed against RFID systems: (3)

• Against the RFID devices themselves, the chips and readers• Against the communication channel between the device and the reader • Against the reader and back-end system

Pen tests are very useful in that they (3)

• Can show relationships between a series of "low-risk" items that can be sequentially exploited to gain access (making them a "high-risk" item in the aggregate). • Can be used to test the training of employees, the effectiveness of your security measures, and the ability of your staff to detect and respond to potential attackers. • Can often identify and test vulnerabilities that are difficult or even impossible to detect with traditional scanning tools.

There are several different types of XSS attacks, which are distinguished by the effect of the script: (3) (describe)

• Non-persistent XSS attack: The injected script is not persisted or stored, but rather is immediately executed and passed back via the web server. • Persistent XSS attack: The script is permanently stored on the web server or some back-end storage. This allows the script to be used against others who log in to the system. • DOM-based XSS attack: The script is executed in the browser via the Document Object Model (DOM) process as opposed to the web server.

As with many other sophisticated systems, IOCs have developed their own internal languages, protocols, and tools. Two major, independent systems for communicating IOC information exist:

• OpenIOC Originally developed by Mandiant (acquired by FireEye) to facilitate information of IOC data. Mandiant subsequently made OpenIOC open source. • STIX/TAXII/CybOx MITRE designed Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII), and Cyber Observable Expression (CybOX) to specifically facilitate automated information sharing between organizations.