Threats, Attacks, and Vulnerabilities
Pharming
A phishing attack that automatically redirects the user to a fake site.
OSINT (Open Source Intelligence)
Information for collection from publicly available information sources such as publication, geospatial information, and many online resources
Worms
destructive programs that replicate themselves without requiring another program to provide a safe environment for replication
Threat
A circumstance or event that has the potential to compromise confidentiality, integrity, or availability. Threats can be natural (hurricanes, floods, earthquakes, etc), manmade (malicious software, hackers, etc). Can not prvent threats, but reduce impact.
zombie
A computer that is controlled by a hacker who uses it to launch attacks on other computer systems. Can be updated automatically and remotely
Integer Overflow
A condition that occurs when a very large integer exceeds its storage capacity.
MITM
A form of active interception allowing an attacker to intercept traffic and insert malicious code sent to other clients. Kerberos provides mutual authentication and helps prevent MITM attacks. Prevents MITM attack: arp -s IPAddr hexidecimal addr
Replay Attack
A form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Kerberos prevents this by using timestamps and USN
Bluejacking
A hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices. When paired with the attacker's device the user's data becomes available for unauthorized access, modification, or deletion. (bluesnarfing)
Insider Threat
A malicious insider
Banner Grabbing
A method used to gain information about a remote system, often as part of a finger printing attack. It identifies the operating system of the DMZ and other details on the remote system such as patch level version, application patch level, and app version.
Vulnerability Scan
A passive scan that has little impact on a system during a test. Detects vulnerabilities, misconfigurations, and lack of security controls. Helps to identify which systems are vulnerable to attack.
In-Line Scanner
A passive scan used to detect anomalies in network traffic, such as a possible attack. Scanner will then send an alert and log the attack.
Whaling
A phishing attack that is targeted to senior business executives and government leaders
Vishing
A phishing attack that uses a telephone call instead of using e-mail, often with a fake caller ID in an attempt to get account details
Remote Access Trojan (RAT)
A remote administration tool maliciously installed as a Trojan horse to give a remote user some level of control of the infected system via a backdoor into the infected system. Important part of a botnet. • Symptoms: Usually undetectable until activated. System damage, data loss. • Action: Restore system from backups.
Credentialed Vulnerability Scan
A scan that provides credentials to the scanner so that tests for additional internal vulnerabilities (such as uncommon open ports, files, versions, and registry values on the host) can be performed; reduces false positives and will likely produce the most information
Buffer Overflow
A series of No operation commands (x90) Occurs when an app receives more input, or different input, than is expected. The result is an error that exposes system memory that would otherwise be protected and inaccessible. Attacker is able to write malicious code into extra allocated memory. echo "vrfy 'perl -e 'print "hi" x 500 ' ' " | nc www.company.com 25
Keylogger
A small hardware device or a program that monitors each keystroke a user types on the computer's keyboard.
Dynamic Link Library (DLL) Injection
A software vulnerability that can occur when a Windows-based application attempts to force another running application to load a dynamic-link library (DLL) in memory, causing the victim application to experience instability (crashes) or leak sensitive information. To mitigate, all calls to different DLLs should be hard-coded in the application.
Flood Guard
A switch feature that protects against media access control (MAC) flood attacks
Spanning Tree Protocol (STP)
A switching protocol that protects against switching loops by dynamically disabling links as needed and should always be enabled.
Pivoting
A technique in which an attacker uses a single compromised system as a platform for launching attacks deeper into a company's network
Black Box Testing
A testing approach that focuses on the functionality of the application or product without knowledge of the code
Spyware/Adware
A type of Malware that may monitor/collect browser activity and log keystrokes, and may impact computer performance and generate pop-ups
Rogue Access Points
A type of MiTM attack, unauthorized access points (evil twin) that are set up by a department or an individual.
Downgrade Attack/POODLE
A type of attack that forces a system to downgrade its security. The attacker then exploits the lesser security control. MITM Exploit that affects SSLv3.0 with CBC mode cipher
Macro Virus
A virus that's distributed by hiding it inside a macro.
System Sprawl
A vulnerability that occurs when an organization has more systems than it needs, undocumented assets, and systems it owns are underutilized. Asset management prevents system sprawl. Compare with VM sprawl.
Packet Sniffing/ Protocol Analyzer
Allows an attacker to capture and analyze IP headers and examine data/traffic being sent over a network if the data being transmitted is unencrypted/clear text, identify the type of traffic, the source of the traffic and the protocol flags used within the individual packets. TCPDUMP is classified as sniffer
WPS Attack
An attack against an AP. A WPS attack discovers the eight-digit WPS PIN and uses it to discover the AP passphrase.
Pass The Hash Attack
An exploit in which an attacker steals a hashed user credential and uses them as-is to try to authenticate to the same network the hashed credentials originated on. Directed at Windows-based systems, SSO vulnerability, Prevent by removing NTLM (new technology lan manager)
Penetration Testing
An invasive test that identify and repair vulnerabilities by hacking into a network, accessing data without being granted access. Primary Phases: Planning (Reconnaissance), discovery (Initial Exploitation), attack (exploit vulnerabilities) and reporting (Penetration Test Report listing the exploited vulnerabilities)
memory leak
An undesirable state in which a program requests memory but never releases it, which can eventually prevent other programs from running. Found in the task manager, app pool is constantly being recycled
Zero-Day Attack
Attack that exploits previously unknown vendor vulnerabilities, so victims have no time (zero days) to prepare for or defend against the attack.
Amplification Attack
Attack that significantly increases the amount of traffic sent to a victim. DDoS is a type
Plain text Attack
Attacker knows some of the plain text data used to create the encrypted data.
ARP Poisoning
Attackers alter a system's ARP table so it contains incorrect MAC address information, poisoning its table associations of other devices. Uses unsolicited ARP replies
Armored Viruses
Attempt to trick or shield themselves from antivirus software and security professionals.
Threat Actor (People)
Attributes: Actors Relationship to the org, motive, intent, capabilities Types: Script kiddies, insiders, hacktivits, organized crime, competitors, and nation states. Competitors are more likely to want to steal intellectual property to gain a competitive advantage.
Rootkits
Can be installed and hidden on a computer mainly for the purpose of compromising the system. Malware scanners can be used to locate
Tracking Cookie
Can be used by Spyware. Used to track your path through a Web site, the time you spend there, what links you click on, and other details recorded, usually for marketing purposes.
XSRF
Cross-site request forgery. An attack that causes users to perform actions on websites without their knowledge. In some cases, attackers use header manipulation to steal cookies and harvest passwords.
XSS
Cross-site scripting. Used to hijack a user's session. Can be prevented by using input validation techniques to filter special characters used in HTML or java code
Honey Pot
Divert malicious attackers to a harmless area of your network, away from production servers and real data.
False Negative
Does not report an actual attack
Privilege Escalation
Exploiting a vulnerability in software to gain access to resources that the user or application would normally be restricted from obtaining.
DoS and DDoS (AKA Smurf)
Flooding a site with packets to prevent access and contributes to resource exhaustion (based on ICMP echo reply called a Smurf attack) DoS is an attack from one attacker against one target. DDos attacks have one attacker and attack many targets
Jabber
Has serious implications for larger orgs and can potentially allow an attacker to capture conversations
Host Enumeration
Identifies hosts on a network
Viruses
Infect systems and spread copies of themselves
Malware
Malicious software running on a host, Types: Adware (popups), Virus (replication mechanism, attaches to something to activate, usually looking for a result (backdoor)...updated antivirus reduces viruses), Spyware (collect information about computer habits and sell to unauthorized party), reduces performance, can exploit DNS, Trojan
Untrained User
Most likely vulnerable to clicking on a malicious link in an email
NullPointerException
Occurs when an application tried to use an object reference with a null value
Penetration Attack Phase
Order: Initial Exploitation: A successful attack on a single computer, escalation of privilege, pivot and persistence (initial exploitation has concluded, and tester is interested in maintaining their access to the network)
Salt Hashing
Password randomization, preventing a rainbow table attack on password hashes
Syn Stealth Scan
Perfoms a half-open scan. Does not complete the 3-way handshake; instead response exposes IP addresses of systems who respond. Then, an RST (reset) is sent in response to the SYN, closing the connection.
DNS poisoning
Perpetrator redirects traffic by changing the IP record for a specific domain (permitting attackers to send legitimate traffic anywhere they choose)
Default Accounts,Passwords, & Configurations
Provide a simple means for an attacker to gain access to a system bc the system is vulnerable
Security Content Automation Protocol (SCAP)
Provides automation methods for managing vulnerabilities
Password Guessing/Brute Force/ Dictionary Attacks
Repeated guessing of logons and passwords Hybrid Attack: Combo of dictionary and brute-force attacks
Race Condition Vulnerability
Results when several threads try to access and modify the same data concurrently, causing system malfunction, crashes or privilege escalation
Ping Scan
Sends ICMP pings to a range of IP addresses. If the IP responds, the network scanner knows there is a host operations with that IP addr. Most FWs block this capability, so results are inconsistent.
Ransomware
Software that encrypts programs and data until a ransom is paid to remove it.
White Box Testing
Testers use their knowledge of system internals when testing the system
Port Scanning
The act of systematically scanning and identifying a computer's open ports to determine what services are running on the system.
Risk
The possibility of a threat exploiting a vulnerability and resulting in a loss. Risk = Threat * Vulneability
Fuzzing
The practice of sending unexpected input to an application for penetration testing and can be used in a security assessment.
Spoofing
The process of making data look as if it came from a trusted or legitimate source. Create rules to block all incoming traffic from private IP addresses to prevent spoofing
Refactoring
The process of modifying a working program to improve function interfaces and other qualities of the code.
Exploitation Framework
Toolsets that can be used offensively or defensively and are often used by pen testers as well as hackers. Stores information about security vulnerabilities to detect and exploit software. Used for penetration testing and risk assessment
Logic Bombs
Trigger on a particular condition
System Hardening
Use a configuration Compliance Scanner to: Remediate non-compliant config items, disable unnecessary services, restrict administrative access, and enable auditing controls on a server
Gray Box Testing
Uses a combo of white and black box techniques. Tester has some understanding of or limited knowledge of inner workings
Fingerprinting Attack
Usually part of a reconnaissance attack by identifying specific info about a system. It identifies IP addresses used in the target network using method such as ICMP sweep or host enumeration sweep. Ping scanners are also used
False Positives
When a vulnerability is incorrectly identified. False positives from an IDS can cause an increased workload because they falsely indicate an alert has occurred.
Data Execution Prevention (DEP)
Windows feature that uses a combination of software and hardware to prevent the execution of code in unintended areas of memory to protect against buffer overflow attacks.
Class C fire extinguisher
a fire extinguisher rated to put out electrical fires.
Botnet
a group of compromised computers or mobile devices connected to a network
spear phishing
a phishing expedition in which the emails are carefully designed to target a particular person or organization
Whitelisting
a process in which a company identifies the software that it will allow to run on its computers
Password Cracker
a program that attempts to discover passwords
Phishing
a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail
Rainbow Table Attack
attempts to discover the password from the hash lookup using databases of precomputed hashes and Bypasses maximum failed login restrictions; countermeasure is salting
Trojans
disguised as legit software, harmful software that tricks people into loading and executing on their systems; does not infect files or self replicate
Clickjacking
is a technique that tricks users into clicking on a malicious link by adding the link to a transparent layer over what appears to be a legitimate web page.
Input Validation/Handling
the process of inspecting data given to a program by the user and determining if it is valid. Prevents input that can impact data flow, allowing an attacker to gain control of a system or remotely execute commands. Server-side input validation results in a more secure system than client-side input validation