Security+ Ch.1

● Viruses ● Crypto-malware ● Ransomware ● Worm ● Trojan ● Rootkit ● Key-logger ● Adware ● Spyware ● Bots ● RAT ● Logic bomb ● Backdoor

13 Types of Malware?

Virus

A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data

Trojan / Trojan Horse

A program that appears legitimate but performs some harmful activity when it is run. It may be used to locate password information or make the system more vulnerable to future entry or simply destroy programs or data on the hard disk. It is similar to a virus, except that it does not replicate itself or reproduce by infecting other files. It stays in the computer doing its damage or allowing somebody from a remote site to take control of the computer. It's often used to sneak attached to a free game.

Driver

A program that controls a device (printers, media, keyboards, etc.)

Macro virus

A software exploitation virus that works by using the macro feature included in many applications, such as Microsoft Office.

MAC spoofing

A technique for changing a factory-assigned MAC address of a network interface on a networked device.

IP spoofing

A technique used to gain unauthorized access to machines, whereby an attacker illicitly impersonates another machine by manipulating IP packets. IP Spoofing involves modifying the packet header with a forged (spoofed) source IP address, a checksum, and the order value.

C. Spear phishing

A user contacts you suspecting that his computer is infected. Yesterday he opened an email that looked like it was from a colleague. When he later talked to that person, she said she never sent an email. What type of attack is the most likely the cause of the infection? A. Phishing B. Trojan C. Spear phishing D. Whaling

Retrovirus

A virus that attacks or bypasses the antivirus software installed on a computer.

Polymorphic virus

A virus that changes its virus signature (the binary pattern that makes the virus identifiable) every time it infects a new file. This makes it more difficult for antivirus programs to detect the virus.

Companion virus

A virus that creates a new program that runs in the place of an expected program of the same name.

Armored Virus

A virus that is protected in a way that makes disassembling it difficult. The difficulty makes it "armored" against antivirus programs that have trouble getting to, and understanding, its code.

Stealth virus

A virus that temporarily erases its code from the files where it resides and hides in the active memory of the computer.

Multipartite virus

A virus which affects multiple components (files and boot sectors, for example)

Pass the hash

An attacker attempts to authenticate to a remote server or service by intercepting password hashes on a network.

Known plain text/cipher text attack

An the attacker attempts to derive a cryptographic key by using pairs of known plain text along with the corresponding cipher text.

Bot-masters or Bot-herders

Attackers that utilize bots or botnets are known as?

Cryptographic attacks:

Birthday; Known plain text/cipher text; Rainbow tables; Dictionary; Brute force; Pass the hash are examples of what type of attack?

Application/service attacks:

Buffer overflow; Injection; Cross-site scripting; Cross-site request forgery; Privilege escalation; Impersonation/Masquerading; Replay; Driver manipulation (Shimming; Refactoring); are examples of what type of attack?

Hijacking and related attacks:

Clickjacking; Session hijacking; URL hijacking; Typo squatting); MAC spoofing; IP spoofing are examples of what type of attack?

CryptoLocker, WannaCry, Locky, zCrypt, NotPetya

Crypto-malware & Ransomware Examples?

Social Engineering

Definition: ● The process by which intruders gain access to facilities, network, systems, data and even employees by exploiting the generally trusting nature of people. ● The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. ● Reference: Chris Hadnagy, The Art of Human Hacking (Wiley, 2010)

● Work with your ISP / network provider ● Border protection / Intrusion Detection & Protection System ● Update Network Appliances, Operating Systems and Applications ● End users' systems are up-to-date and deploy anti-virus - bot prevention

DoS & DDoS - Prevention methods?

Network / Wireless Attacks:

DoS; DDoS; Man-in-the-middle; Amplification; DNS poisoning; Domain hijacking; ARP poisoning; Initialization Vector (IV); Evil twin; Rogue AP; Jamming; Bluejacking; Bluesnarfing are examples of what type of attack?

C. SQL injection

During a breach investigation, you notice that the attacker entered the database through a web front end application by manipulating the database code to exploit a vulnerability. What is the most likely name for this type of attack? A. SQL parsing B. Database injection C. SQL injection D. Session hijacking

● Clickjacking ● Session hijacking (Cookie hijacking) ● URL hijacking / Typo squatting

Examples of Hijacking and related attacks?

● Blue-jacking ● Blue-snarfing

Examples of PAN Wireless Attacks?

● Dictionary ● Brute force ● Rainbow tables ● Pass the hash

Examples of Password Attacks?

-Tailgating: Gaining entry to electronically locked systems is to follow someone through the door they just unlocked -Dumpster Diving: The practice of foraging in garbage that has been put out on the street in dumpsters, garbage cans, etc., for discarded items that may still be valuable, useful, or used to commit fraud. -Shoulder Surfing: watching someone "over their shoulder" when they enter sensitive data such as a password or credit card information.

Examples of Physical Social Engineering Attacks?

Examples: SubSeven, Back Orifice, ProRat, Turkojan, and Poison-Ivy

Examples of RATs?

● User education ● "Trust, but verify" ● "If you see something, say something"

Examples of Social Engineering Prevention?

Examples: ILoveYou, MyDoom, StormWorm, Anna Kournikova, Slammer

Examples of Worms?

● Phishing: Phishing ● Spear Phishing: sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. ● Whaling: a phishing attack that is specifically aimed at wealthy, powerful, or prominent individuals. ● Vishing: making phone calls or leaving voice messages purporting to be from reputable companies. ● Pharming: traffic redirect to a spoofed web site ● Variants - SMiShing

Examples of communication spoofing / fraud?

● Prevention: Token authentication (Kerberos), MFA/TFA, Encryption, Sequenced session identification

Examples of prevention methods for impersonation/masquerading and replay attacks are?

● Evil twin: A rogue wireless access point poses as a legitimate wireless service provider to intercept information that users transmit ● Rogue AP: Any wireless access point added to your network that has not been authorized ● Initialization Vector (IV): an arbitrary number that can be used along with a secret key for data encryption. This number, also called a nonce, is employed only one time in any session. If the IV is weak, as in WEP, it may be reused. ● Jamming: Causing interference with a wireless signal.

Examples of wireless attacks? (4)

B. Pivoting

In initially conducting a penetration test, you find vulnerabilities on a separate, less secure server on the same network as the one you're investigating. You use access to that server to then attack the target servers. This type of exploit is known as: A. Escalation of privileges B. Pivoting C. Active reconnaissance D. Persistence

A. Improperly configured accounts

In this type of vulnerability, accounts have greater privileges than is needed to perform a function and is solved by Least Privilege? A. Improperly configured accounts B. Resource exhaustion C. Improper input handling D. Race condition

Frequency analysis attack

Looking at the blocks of an encrypted message to determine if any common patterns exists

Network Hijacking Attacks

MAC spoofing, IP spoofing, and ARP spoofing are examples of what?

Indicators of Compromise (IoC)

Malware attacks: An artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion?

Delivery

Malware attacks: How it gets to the target?

Propagation

Malware attacks: How malware spread?

Payload

Malware attacks: What malware does once it's there?

D. Replay

Of the below terms, which one best describes the type of attack that captures portions of a session to play back later to convince a host that it continues to communicate with the original system? A. IP hijacking B. Jamming C. Trojan D. Replay

B. Active reconnaissance

Of the following types of testing steps, which focuses on directly scanning a system, using techniques such as port scans, network mapping, ICMP scans to identify potential weaknesses? A. Operational reconnaissance B. Active reconnaissance C. Passive reconnaissance D. Initial exploitation

NTRootkit, Zeus, Stuxnet, Knark, Adore

Rootkit Examples?

Backdoor

Software code that gives access to a program or a service that circumvents normal security protections. Typically put in place by the developers but is supposed to be removed upon being released for production.

Social Engineering

Spear phishing; Whaling; Vishing; Tailgating; Impersonation; Dumpster diving; Shoulder surfing are all examples of what attack type?

Domain Hijacking attack : DNS Poisoning and DNS Spoofing

These are prevention methods for what types of attacks? ● Protect any internal DNS servers ● Use authoritative DNS sources

Examples: BackOrifice, Stuxnet, Zeus

Trojan / Trojan Horse Examples?

Crypto-malware & Ransomware

Uses some form of encryption to lock a user out of a system. • Symptoms: System lockout; ransom screen with payment instructions. • Action: Use anti-malware software from a live boot to clean the crypto-malware.

● Authority ● Intimidation ● Consensus / Social Proof ● Scarcity ● Familiarity / Liking ● Trust ● Urgency ● Reciprocity

What are the Social Engineering Principles? (Reasons for effectiveness)

Remote Access Trojans or Remote Administration Tools

What does the acronym RATs stand for?

DNS Poisoning

When an attacker alters the domain-name-to-IP-address mappings in a DNS system to redirect traffic to a rogue system or perform a DoS attack.

ARP spoofing

When an attacker sends a fake ARP (AddressResolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network.

DNS Spoofing

When an attacker sends false replies to a requesting system in place of a valid DNS response.

A. brute-force attack

Which form of attack uses special programs that attempt all possible character combinations to determine passwords? A. brute-force attack B. dictionary attack C. password guessing D. birthday attack

A. Buffer overflow attack

Which of the following type of attack is the result of software vulnerabilities and is caused by supplying more data than is expected in an input field? A. Buffer overflow attack B. Cross site scripting C. Denial-of-Service (DoS) attack D. App overloading

B. DNS Poisoning

You have a user call you from a hotel saying there's an issue with your organization's web site and that it looks like it's been compromised. You check it from your work at it appears fine. What is a likely cause associated with the user at the hotel? A. Logic bomb B. DNS Poisoning C. Trojan horse D. Evil twin

C. Tailgating

You observe a delivery person entering your building by following an employee through a locked door into a secure facility. Which term best describes this type of attack: A. Shoulder surfing B. Reciprocity C. Tailgating D. Whaling

B. Exploiting unpatched applications

You've been asked to conduct an internal vulnerability assessment for your organization. Which of the following steps should you avoid in determining system or network weaknesses to minimize risk? A. Non-intrusive reconnaissance B. Exploiting unpatched applications C. Review of system control configuration settings D. Scanning for unpatched systems

B. Hacktivist

Your company's website has been defaced by an organization that doesn't agree with your corporate policies. What type of treat actor typically does this? A. Script kiddies B. Hacktivist C. Organized crime D. Insiders

○ Defense in depth; ○ Patch; ○ Keep AV up-to-date

Zero-Day (0-Day) Exploits Prevention?

Rainbow Table Attack

all of the possible password hashes are computed in advance and those hash values are compared with the password database.

Birthday attack

an attack on cryptographic hash that looks for hash collisions - exploiting the 1-to-1 nature of hashing functions.

A penetration test / pen test,

an authorized, simulated attack on a computer system, performed to evaluate the security of the system by actively exploiting found vulnerabilities. (aka Ethical Hacking)

Session hijacking (Cookie hijacking)

exploiting a valid computer session, or session key, to gain unauthorized access to information or services.

Phage virus

modifies and alters other programs and databases. The only way to remove this virus is to reinstall the programs that are infected

Brute force

systematically attempting all possible combinations of letters, numbers, and symbols. Usually automated.

Dictionary attack

systematically entering each word in a dictionary as a password

Privilege Escalation

the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

URL hijacking / Typo squatting

the act of registering domains that are similar to those for a known entity but based on a misspelling or typographical error. (examples: g00gle.com, gooogle.com)

Blue-jacking

the sending of unsolicited messages (think spam) over a Bluetooth connection.

Clickjacking

tricking a web user into clicking a spoofed button or graphic.

Blue-snarfing

○ The gaining of unauthorized access through a Bluetooth connection ○ Intercepting data through a Bluetooth connection

Distributed Denial of Service Attacks (DDoS)

● A DoS attack utilizing multiple compromised computer systems as sources of attack traffic ● Amplifies the concepts of a DoS attack by using multiple computer systems (often through botnets) to conduct the attack against a single organization

Rootkit

● A clandestine computer program designed to provide continued privileged access to a computer, allowing remote access to the attacker while actively hiding its presence. ● Software program that has the ability to obtain administrator or root-level access and hide from the operating system.

Botnet

● A network of compromised computers under the control of a malicious actor?

Advanced Persistent Threat (APT)

● A set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity. ● Usually targets either private organizations, states, or both for business or political motives. ● APT processes require a high degree of covertness over a long period of time. ○ The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. ○ The "persistent" process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. ○ The "threat" process indicates human involvement in orchestrating the attack

Zero-Day (0-Day) Exploits

● An attack that exploits a previously unknown security vulnerability. ● It may take advantage of a security vulnerability on the same day that the vulnerability becomes generally known. ● Example: Stuxnet

Man-in-the-Middle Attacks

● An attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. ● The attacker may either observe (confidentiality attack) or alter (integrity attack)

Logic or Time bomb

● Any code that is hidden within an application and causes something unexpected to happen based on some criteria being met. For example: ○ A programmer could create a program that always makes sure her name appears on the payroll roster; if it doesn't, then key files begin to be erased. ○ Backdoor is created during certain times.

Spyware / Adware

● Applications that covertly monitors online behavior without the user's knowledge or permission. ● Collected data is relayed to outside parties, often for use in advertising ● Otherwise, does not harm the infected computer, user or data. ● There is a line between illegal spyware and legitimate data collection.

Cryptographic attacks

● Birthday ● Known plain text/cipher text ● Frequency analysis ● Dictionary ● Brute force ● Rainbow tables ● Pass the hash

Application Attacks

● Buffer overflow ● Injection ● Cross-site scripting (XSS) ● Cross-site request forgery (CSRF or XSRF) ● Privilege escalation These are examples of?

Replay Attacks

● Capturing network traffic via eavesdropping, then reestablishing a communications session by replaying captured traffic using spoofed authentication credentials.

Application Attacks - Prevention & Response

● Good coding practices - See OWASP ● Filter and validate any user input ● Use a Web Application Firewall (WAF) ● Build security into the Software Development Life Cycle (SDLC) ● Have an incident response plan in place

Injection

● Occurs when untrusted data is sent to an interpreter as part of a command or query. ● most fall into the following categories: ○ Escape characters not filtered correctly ○ Type handling not properly done ○ Conditional errors ○ Time delays ● The way to defend against this attack is to always filter inputs.

Social Engineering Attack Types

● Online ○ Phishing; Vishing; Whaling; Spear Phishing ○ Spoofing ● Offline / Physical ○ Tailgating ○ Impersonation ○ Dumpster diving ○ Shoulder surfing ● Either

Denial of Service Attacks (DoS)

● Preventing access to resources by users authorized to use those resources. Attacking systems availability. ● May accomplish: ○ Denial of access to information, applications, systems, or communications. ○ Bring down a website while the communications and systems continue to operate. ○ Crash the operating system (a simple reboot may restore the server to normal operation). ○ Fill the communications channel of a network and prevent access by authorized users.

Driver manipulation

● Shimming: creating a library—or modifying an existing one—to bypass a driver and perform a function other than the one for which the API was created. ● Refactoring: set of techniques used to identify the flow and then modify the internal structure of code without changing the code's visible behavior

Keylogger / Keystroke Loggers

● Software programs or hardware devices that track the activities from input devices ○ Keys pressed of a keyboard ○ Mouse clicks ○ Screen recorders or scrapers ● Keyloggers are a form of spyware where users are unaware their actions are being tracked ● Keylogger software typically stores your keystrokes in a small file, which is either accessed later or automatically emailed to the person monitoring your actions

RATs

● Software that remotely gives a person full control of a tech device. ● Programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. ● Provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols or backdoors created upon infection ○ Often mimic similar behaviors of keylogger applications by allowing the automated collection of input data

Impersonation / Masquerading

● The act if pretending to be someone or something to gain unauthorized access to a system.

Amplification Attacks

● The goal of the attacker is to get a response to their request in a greater than 1:1 ratio so that the additional bandwidth traffic works to congest and slow the responding server down. ● The ratio achieved is known as the amplification factor , and high numbers are possible with UDP based protocols such as NTP, CharGen, and DNS. ● Usually employed as a part of a DDoS attack

Worms

● Use the network to replicate copies of themselves to systems or devices automatically and without user intervention. ● To spread, worms either exploit a vulnerability on the target system or use social engineering to trick users into executing. ● A worm takes advantage of file-transport or information transport features on the system, allowing it to travel unaided.

Buffer overflow

● When more data are written to a buffer than it can hold ● An anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.

Cross-site request forgery (CSRF/XSRF)

● an attack that forces an end user to execute unwanted actions on a web application. Also known as a session riding or one-click attack.

Cross-Site Scripting (XSS)

● occurs whenever an application includes UN-trusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript.

Bot

●An automated software program that collects information on the web and In its malicious form, is a compromised computer being controlled remotely. -also known as "zombie computers".