1.0 Attacks threats and vulnerabilities 24%

Shadow IT

IT work that is outside of your organization. This allows them to work around IT policies in the company. Could cause sec risks and compliance issues.

integer overflow

When a large number is placed into a space with smaller capacity. The extra numbers may overflow into other parts of memory causing problems

RFID NFC

uses rf to find the id tags seen on pets and access badges. The data between the tag and the reader coujld be captured, the attacker could spoof the reader to modify the tag. they could jam the frequencies. encryption keys for the tags may be found on google NFC- helps with bluetooth pairing, the nfc communication could be captured and jammed as well or sit in the middle of the conversation.

SSL/TLS version history

-SSL 2.0 1995: deprecated in 2011. Deprecated means do not use it anymore as an industry best practice. -SSL 3.0 1996: vulnerable to POODLE attack and was deprecated in 2015. -TLS 1.0 1999: An upgrade to SSL and also changed the name from SSL to TLS. Can downgrade to communicate with 3.0. -TLS 1.1 2006: deprecated in 2020 by most modern browsers. TLS 1.2 and 1.3: The latest standards used to communicate with web servers.

Physical attacks : usb charging cable usb flashdrive

-looks like a normal charing cable but when you plug it in your pc, the OS sees it has a HID human interface device. A HIDs are keyboards and mice; the HID can then type information into your pc and open a command prompt and download malicious software. -malicious flash drive; old OS would auto-run flash drives but this is disabled by default in modern OS. It will act as a HID as well. Even if it wasnt a HID the drive could have malware in pdf files; or run macros from spreadsheets. If the interface its plugged into is configured as a boot device, then it will infect your pc when it boots/reboots. Malicious flash drives can also have act as a wirless ethernet adapter which would allow the attackers device to connect to it. -An overlay over a real card reader that collects the information on your credit card. It may have a camera to see what numbers you type in. These can be at gas stations and ATMs. Take a close look at the card reader and if it seems malicious. To combat this, card readers can be made with an obstrusive plastic overlay making it hard to place a skimmer over it, or the card reader may be seethrough so attackers cant hide the added circuitry. -The attacker creates an exact duplicate of your card with the data from their skimmer device. However attackers can not clone the chip, only the magnetic stripe. So attackers will clone gift cards; wait for them to be activated and then use them before the person who bought it gets a chance to.

Windows powershell

A specially built command line for windows 8.0 8.1 and 10, used by sys admins. powershell scripts have a .ps1 extension. powershell extends command line functions and uses cmdlets (command-lets). Can use scripts and run executables from powershell.

Resource exhaustion ZIP bomb DHCP starvation

A DoS attack that may use a lot internet bandwidth to crash or make an app not usable. An example of this is a ZIP bomb that is 43 kb when compressed. If you unzip the file it contains 4500 terabytes. AV will see this. DHCP starvation- An attacker floods a network with tons of ip address requests. They use a single device that appears to have multiple MAC addresses and take ips until they are all used up. Switches can be configured to limit the number of DHCP requests which may prevent this.

closed/proprietary intelligence

A compiliation of threat information that was compiled and you must pay to see it. Constantly identifies new threats and can create automated threat prevention workflows

Python

A general purpose scripting language than can used across different OS. Python has a .py file extension. py scripts are often used for cloud orcchestration to tear down and create application instances. If an attacker wants to attack infrastructure devices like servers, routers, and switches, python is a good choice.

race condition TOCTOU

A programming issue where two things happen at the same time causing problems. Time of check to time of use is an attack where things change from checking the status to making a change. If two users saw an account with 100$ in it and they wanted to add 50 to it. When one person checks the account they may see that fifty was already added so they take away the 50 they added. The other user may see 50 was taken away so they add another 50. The result is 200 instead of 150.

Typo squatting Prepending

A type of URL hijacking where a malicious URL is made to look like real one but with one letter or so misspelled. If you clicked a link in an e-mail or or typed the address wrong It would take to a site that tries to look like a real one. The fake would try to get your e-mail address or your credit card information. professermesser.com real professermessor.com fake Prepending is where the first letter is repeated in the URL such as pproffessermesser.com

pass the hash

A type of replay attack. When client authenticates to a server with a password sent as a hash. If the hash is not encrypted; if an attacker sees the traffic through arp poisioning, tapped network device etc, etc, then the attack could guess passwords and hash them until they get a matching hash. Then they would be able to login as the client. Make sure to use SSL/TLS so that the hash is encrypted. With the hash being encrypted it is useless even if captured by an attacker. The hash may also be salted with a session ID. So that if someone figures out the password to create the hash.

Refactoring/ metamorphic malware

A way malware authors can get through AntiV/AM. When a victim downloads the malware it will be unique version; therefore your AV/AM wont have a signature for it. The malware is programmed to appear different to your AV/AM each time it is downloaded. The code could be written to have loops or pointless code strings so that it is different from the previous. It may be able to redesign itself by re-ordering its code and insert unused data types. Mitigation: defense in depth / the multilayered defense approach .

on path browser attack

Also known as man in the browser. This is when the man in the middle is on the same pc as the victim. Here the malware is relay between the victim and the other devices. ITs in the browser pf the computer. This allows th attacker to see all data sent even if it is encrypted. The malware/trojan etc, will wait for you to log into your bank, and then clean it out. The bank trusts the browser, the computer ip etc, it has no idea the malware is running. The malware captures your log in credentials and keystrokes. Always keep AV/AM up to date

Pharming

An attacker collects sensitive information on multiple people. This may be done through DNS posioning. When you type the URL to a legitimate site, the DNS takes you to a malicious version of that site instead bc the DNS server was posioned. The site will phish important information from the userers. Where phising is an attempt to collect credentials from people.

Reconnaissance

An attacker gathers information on an individual often uses public information on sites like facebook and linked in. They can figure out where you work, who your family members are in order to create a more convincing pretext for an attack. Impersonation is often done from reconnaissance the attack has done.

replay attack vid 30

An attacker sees traffic on a network either through arp poisoning or by tapping into the network with a device, or malware on a users computer. The attacker can "replay" gathered information to appear as if someone else sent it, like an authorized user. They gather session ids and credentials etc. The attacker does need the user hes copying to be online to do the replay attack.

RF jamming

An attacker transmit rf signals which decreases the SNR ratio so the victim hears more noise than signal resulting in bad quality. This is a DoS to prevent communication. This could be caused by a microwave and fluorescent lights but that would interference not jamming. Wireless jamming- creates random amounts of information on the network to overwhelm the good signal, or constant legitimate frames. the attacker may be intermittently sending good frames and intermittently sending bad frames. They only jam when someone tries to communicate ont he network. The jamming device would need to be close to the wireless signal. To find the jammer you do a fox hunt with a directional antenna and headphones.

Macros

Application use their own scripts called macros. MAcros are designed to make applications easier to use. Attackers can create macros themselves which are executed when a user opens the file containing the macro.

Asymmetric threat DDoS amplification zip bomb mesured cloud service issues OT DoS

Asymetric threat -the attacker has fewer resources than the device its attacking. amp- tunrs small attacker into a large attacker at the victims machine. usually reflecting one protocol onto the victims machine which might be icmp or dns. Turns internet services against victims. application DoS- causes an app to fail. such as a zip bomb with 4.5 petabytes that overwhelms the storage on a pc. overuse a measured cloud serveice- If resources are added as demand is increased, an attacker could spike demand for an application and cause a big costs to the company. This is also an application attack. operational technology DoS- This brings down hardware and software for industrial equipment. Like eletric grids, traffic lights, manufacturing plants, etc. This could create problems for a very large area and a lot of people are effected. Therefore we use different approaches to segment and protect these components.

domain hijacking

Attacker has access to the account that controls the domain registration; now they can control where the traffic flows. They dont need to touch the actual DNS servers. To ge the account information they may brute force the password, use social engineering, etc.

watering hole attack

Attacking a 3rd party that a user might visit in effort to attack the user indirectly. For example If we want to put malicious software on joe's pc we infect a site joe will visit such as a amazon. When joe visits amazon his computer gets infected, but so does everyone elses computer. We infect everyone but we only want to get to Joe. We may set the malware to only infect machines with very specific ip addresses such as joe's pc. We also might hack into a public wifi such as at coffee shop. Then everyone who connects to the wifi t the coffee shop will be infected.

AIS STIX TAXII

Automated indicator sharing- an automated way to share threat information between organiztions at the speed of the internet Structured threat information expression- is a standardized format to transfer this data. This includes motivations, abilities, capabilities, and response information. Trusted automated eXchange of indicatior information- the transport to securely share STIX data.

cryptographic attacks vid 25 start here birthday attack hash collision

B day attack- based off the idea of the chance of two students in a single class having the same b-day, which is actually a really high chance. When two plaintexts result in the same hash we have a hash collision. Researches were able to create a fake CA that appeared legitimate based on a collision with MD5.

Bluejacking Bluesnarfing

Bluejacking- Sending an unsolicted message to a user over bluetooth. Does not need wifi or cellular. attacker would have to be 10 meters close. Bluesnarfing- When an attacker access data on your mobile device using bluetooth. Modern devices are not susceptible but an older device b4 2003 are susceptible.

rogue access point

Can be created by using wireless sharing on your phone, or by buying an access point make sure to survey your network and walk around the building. use 802.1x so connections are authenticated this way someone outside the org could not connect to the network even if they connected to the access point. When it has the same SSID and configurations it is an evil twin. This would be easy to do on guest networks and hotspots

improper input handling

Causes issues when specific strings are put into an input field. such as sql injections, buffer overflows, etc.

Hoaxes

Could be a threat that doesn't actually exist. They may have you buy a gift card, but then they get the gift card. Could be pop ups that pretend to be malware but actually aren't. Spam filters often stop hoaxes.

URL hijacking

Creating a domain name that looks like a legitmate one. Somthing like a .net instead of .com that shows the users ads instead of the real site. The hijacker could also sell the misspelled domain name to the actual owner, so theat users a re redirected to the actual site when typing in the wrong one. Hijacking is usually used for phising so users are tricked into typing their log in credentials on the fake site. The fake site could also be used for a drive by download, which automatically installs malware when visiting the fake site. different top level domain would be using .org when its actually .com

XSRF/CSRF one-click attack session riding sea surf

Cross site request forgery- Can be abbreviated as XSRF or CSRF. Takes advantage of a site's trust with a browser while a user is logged in already. The attacker makes requests for themselves which appear to be from the victim without them knowing. Mitigation: usually a cryptographic token is used to make the requests, so attacker can't make the request without the token.

driver manipulation

Drivers are used so hardware such as a mouse can communicate to the OS properly. They are often trusted by the OS. Driver interactions can contain sensitive information. An attacker could manipulate the driver to perform another malicious like key logging. Also called driver shimming?

Dumpster diving Shoulder surfing

Gathering information on users by looking through their garbage such as mail and personal information. Shred or burn important information instead of putting it in the garbage. shoulder surfing is when someone stands behind you and sees sensitive information on your computer screen. There is a privacy filter that makes the screen only visible if you are standing directly in front of it. A person standing to the side of the screen only sees a black screen. Keep computer away from windows so someone with binoculars cant see your screen.

Attack Vectors Direct Access

Method used for an attack Direct- physical access to a server. They can reboot the server and reset the admin password easily. A USB key logger. Denial of service by unplugging the power

Memory leak

Normally an application allocates memory for its own use and then gives it back when its done. With a memory leak it is never returned which causing it slowly use up all the memory on the system. This will crash the system eventually.

On path attacks ARP poisoning

On path attacks are also known as a man in the middle attack. ARP poisoning is a common on path attack on a local subnet (which the attacker needs to be on). Imagine if there was a pc and a router on a local subnet. TLDR; the attacker sends an arp message which makes the pc think the attacker is the router; and makes the router think the attacker is the pc. This rewrites the arp cache the pc/router previously had. ARP= ip to MAC Now when the pc talk to the router, it sends the messafe to the attacker first which then forwards it to the router.

OSINT

Open source intelligence (oh-sent)- publically available sources for anyone. Can be come from the internet, government data, and commercial data which comes from businesses and organizations.

Cloud attack vectors

Orchestration attack - increses the load on a cloud application to waste resources. SEcurity misconfigurations. Publically facing apps, brute force or phish users using the cloud service

Spear Phising

Phishing with convincing inside information against very specific groups of people or a person. Done in a way so That you think only people in the company would know. Spear phishing the CEO is called whaling.

E-mail attack vectors Supply chain vecotrs Social media vectors REmovable media vectors

Phising attacks MAlware inside email social engineering with a invoice scam Each step a product takes to get to you is an attack vector They see you location, job info, know where you were born. which could be used to reset a password. Fake friends that you add. Malicious usb drive- can get around firewall. Transfer sensitive data to usb drive.

buffer overflows

Putting more memory into a field than it is designed to take. The excess memory is put somewhere else with a malicious purpose. like if a field can only store a max num of 60; the attacker puts 61 into it and the extra one is put somewhere else Which may give them elevated rights or crash the system whenever they like. This is hard for an attacker to use bc it just breaks most systems and they dont get much use out of it. Application devs should perform bounds checking to make sure no one can overwrite sections of memory

Dark web intelligence

Rquires specific software and configurations to access these sites on the dark web. You can monitor forums and hacker groups on the dark web that may be selling credit cards, account names, and see what tools hackers use.

SSRF

Server side request forgery- Requires an attacker to find a vulnerable web application, to this attack where the attacker sends specially crafted packets that make the server work or the attacker. The Server performs request on behalf of the attacker. The attacker can use to see things like a private network that only the server should be able to see. This is uncommon but mostly caused by bad programming. Example: -Attacker sends a request from a web application trusted by the server. -The server then sends a request to another service such as cloud file storage. -The cloud storage sends a response to the web server -The web server forwards the response to the attacker mitigation: The server should be coded to validate inputs and outputs to itself. Also use a web application firewall (WAF).

broswer cookies and session ID Session hijacking, (sidejacking)

Session ID is tempory thing you get when logging into a site. They allow you communicate without having to keep typing in your username and password, so instead of sending that over and over again your pc sends the session id to the server. These IDs expire after being idle so you have to log back in. If an attacker gets an active session id they could be logged in as you without having to know your password. attackers may use a packet sniffer like wireshark or kismet. They coujld use XSS to have the session IDs sent directly to the attack. The attacker then modifies theyr headers being sent to server to have the session id using 3rd party utilites like tamper firesheep and scapy. They could also modify their browser cookies to make themselves look identical to the person they stole them from Cookies are data stored on you when you browse the internet. Session IDs are often stored in the cookies. If your cookies Use SSL and TLS so that the attacker can not see the session ID. Use HTTPS, use an extension that forces HTTPS or TLS. most sites are HTTPS only. If the site does not support https you should use a vpn so the data is encrypted even if captured.

Shell script

Shell scripting is used in unix/linux OS. This can automate and extend the command line. A shell script starts with a special set of characters: #! which is called a shebang or a hash-bang, and often (not always?) has a .sh file extension. If the attacker uses linux, or wants to attack linux, he will use shell. Becuase shell can control the OS from the command line, malware could use shell script to attomate these attacks.

Shimming

Shimming- A shim is something that fits into the gap between two objects. Like putting a small pad between a table leg and the floor. Windows compatibility mode is also called a shim used for applications. A legacy application may not work well on windows 10; so a user might use compatibility mode for windows 7. This information is stored is an application compatibility Shim cache; which is used to cache the information being transferred from the current os to the old compatible os. Malware authors make their own shims to get around security like user account control. In 2015 an attacker was able to create a shim that granted elevated privileges.

Smishing

Short Message Phishing- In the form of a text message that may attempt to collect information using links in the text msg. The number could be spoofed as well.

Domain Reputation

Sites have reptutaitons tracked by the internet, if your company sends mass e-mails and many users click "this is spam" that lowers your domain's reputation. If it gets so slow you may not be able to send e-mails at all. An attacker could lower your reputation with alware that sends tons of spam e-mails on your companys name. If a site contains malware it is indexed by search engines. The domain will be flagged with a warning message when users visit it; or just removed. This could damage your brand if your domain was infected as sales could drop.

Physical attacks Skimming card cloning

Skimming -An attacker creates an overlay over a real credit card reader that collects the information on your credit card. It may have a camera to see what numbers you type in. These can be at gas stations and ATMs. Take a close look at the card reader ad check for scratches, if the size seems weird, and if it can be pulled out with a light tug. To combat this, card readers can be made with an obtrusive plastic overlay making it hard to place a skimmer over it, or the card reader may be see-through so attackers cant hide the added circuitry. card cloning -The attacker creates an exact duplicate of your card with the data from their skimmer device. However attackers can not clone the chip, only the magnetic stripe. So attackers will clone gift cards; wait for them to be activated and then use them before the person who bought it gets a chance to.

Persistent (stored) xss

Stored permantly on a server and anyone using that page could run the malicious script. Usually on message boards and forums. Anyone reading the message would run the script. If you are a web developer makes sure you valid input fields so scripts can not be run inside of them.

MAC flooding

Switches had mac addresses to their tables when they receive ones they dont have. They associate a mac adress with an interface like F0/1. When a switch receives a frame and doesnt know where to send it, it will flood that frame out all interfaces. The table has a limit to how many MAC adresses it can hold. An attacker will send many MACs that the switch doesnt have in its table. When the switche's MAC table fills up, it can nolonger add addresses; so it will instead broadcast traffic out all interfaces. This has tunred the switch into a hub/multiport repeater. Now the attacker can easily capture all the traffic being sent over the network. Most switches have a feature called flood guard which prevents a single interface from sending mac addresses over the network.

Social engineering tailgaiting invoice scam

TG is where a person follows someone in after an authorized person badges in a door. They may wear 3rd party vendor uniforms to blend in. They may have their hands full of food or they smoke in the break area and follow the authorized smokers inside. there mau be access control vestibule/airlock that only lets one person inside at a time. invoice scam is where an attacker finds out who pays th ebills in an organization and then they send fake invoices claiming a bill needs to be paid. This could be considered spear phishing, the invoice could contain bills for products you actually use in your organization and a spoofed address that appears to have authority. It may include a link in the email that would then be used to pay the bill but also gather the credit card information.

Elliciting information identity fraud

The attacker gains information about a user without them knowing. These details can be used to open up credit cards and loans in your name bc they have stolen your identity. Always verify the person is real, or contact the actual person they are claiming to be.

supply chain attack

The supply chain consists of the different mechanisms for which products are delivered, from warehouse to retailer, to your house. Somewhere along the way something malicious happens. This happened with target where 40 million credit cards were stolen. Attackers infected the HVAC vendor target uses, then used the HVAC vendor credentials to get into targets corporate network. Here they had access to every ATM across the country. To mitigate this try to work with as few vendors as possible and audit vendors. Make sure your new router/firewall/switch etc weren't infected somewhere along the supply chain.

DNS poisoning

This could be done by moddifying the host file on the DNS server itself, or on the local host file on a machine. The host file has priority over DNS queries which means the host file is chosen first. This could also be done by an on path attack that responds to a DNS query with a malicious DNS. When the server is modified, it will then send incorrect dns information which is probably a domain the attacker has control of.

cross site requests

This happens when youre on a site that sends a request for a vid or pic hosted on another sites server. An example would be being on messers website and seeing video thats coming from youtube, or a picture thats coming from instagram server. These cross site requests are done by html. When you load the yt vid on messer's site, you do not have to log in to youtube to see the the vid on his site. This "trust" is whats used by attackers to do malicious things like cross site request forgeries.

Machine learning adversarial AI

Training AI to learn on its own by analyzing patterns. They may be able to make better predictions based on their learning/training. A spam folder will use machine learning to learn what spam might look like, or a retailer may recommend you products based on its machine learning. -Attackers may try to poison the learning and training data. They could make it learn incorrectly. Attackers try to find holes or vulnerabilities. Like they will try to get through the spam filter by changing their spam format to get through the filter. this is an evasion attack. - to mitigate this, constantly re-train with new data. Try to mimic what an attacker would do to your AI to make it stronger. Check training data and verify it hasn't been changed.

Influence campaigns

Used to sway public opinion on social issues. used to change way people think and may be used by other controis to change elections or the way people think. This is often done by creating a bunch of fake accounts with a certain opionion. People read this and may think its real and share it. Mass media will then pick it up so that it spreads even more. This my be done by military in an effort to conduct cyber warfare. may change the news in outher countries.

VBA

Visual Basic for applications VBA- scripts for windows office applications like word and excel. this praggramming language can interact with the OS directly which an attacker may take advantage of.

Vishing

Voice phishing- where the area code is often spoofed on a phone call. The caller tries to get your credit card information. Like when Indians call about your cars warranty.

Client side code and server side code.

Website pages have both client and server side code on them. The client side renders the page on the screen and uses html and javascript. The code executing on the server side performs requests from the client like uploading a vid to youtube. Code used on the server side is html or PHP. PHP is a server side scripting language that is embedded in HTML. PHP is used to manage dynamic content, databases, sesssion tracking, and is built into popular databases like oracle and microsoft SQL server.

directory traversal / path traversal attack

When a client usses a webserver they should only be able to use the server files for the web application. With directory traversal they are able to access other files on the server such as the os system files. This is a web server software vulnerability. Or it could be a problem with the web application code. Where an attacker using a GET ../ to go backwards in the directory away from the server directory. This could take them the C drive the os is installed on as they.

wireless deauthentication attack

When an attacker causes device on the wireless network to suddenly not be able to communicate with the network. You may be connected for a short time and then disconnected several times. Wireless uses 802.11 management frames tha make everything work. they are used for association, qos, disassociation, find access points etc. the original 802.11 frames were sent in the clear. An attacker could send management frames themselves to disassociate your device. 802.11w in 2014 made management frames encrypted and 3rd parties can not send these frames. Certain frames are not encrypted like beacons, probes, authentication, and association. 802.11ac requires 802.11w so this wont happen.

MAC cloning / spoofing

When an attacker changes their MAC address to match the MAC of a legitmate device on a network, or was recently on a network. This would allow them to match an existing MAC allow list so they could connect to the network. This could also cause DoS and intermittent connectivity if the attacker clones a MAC currently being used. MAC addresses are easy to change with device drivers. Many switches has features that block MAC cloning/spoofing

on path attack

When an attacker finds a way to sit in the middle of the conversation between two devices such as a client and a server. This can be done with: -proxy server -arp spoofing -rogue wi-fi hotspot

SSL stripping/ HTTP downgrade

When an attacker is able to to make your browser use HTTP instead of HTTPS. The attacker site in line between the client and server to do this. This applies to both client and server. This is a combination of a down-grade attack and an on path attack. -client sends a GET http request -attacker sits on path -server receives http rq but wants to use https -attacker intercepts the request to use https -a secure https tunnel is made between the attacker and server. -the attacker forwards unencrypted traffic back to the client Now that the client is connected with the server in the clear, the attacker can see all data sent. When the client sends a POST command to log into the server with their username and password; that information is seen by the attacker and simply forwarded to the webserver using https. Mitigation: the browser client is designed to not send an http get message, and the web server is designed to not respond to an http get message.

improper error handling

When an error occurs with an app there is usually a message displayed. The app should be coded to not show too much information such as network information, memory dump, stack traces, and database dumps. This can be fixed by properly developing the app

NULL pointer dereference

When application uses memory they store it in a place to reference the memory. An attacker could make the reference point to a null reference which contains nothing. This will crash the application. This may show debugging info and is a form of DoS.

downgrade attack

When two sides want to communicate securely they agree on a type of encryption. With a downgrade attack, the attacker finds a way in the middle of this conversation and gets both sides to agree to a very weak form of encryption. This makes it easy to crack the encryption. TLS used to have a vulnerability called POODLE padding oracle on downgraded encryption that forced clients to use SSL 3.0 which has lots of vulnerabilities. Bc of this most modern browsers do not allow SSL 3.0 encryption.

cryptographic nonce

a random or psuedo random number used once. For nonce, means for the time being. Somthing that cant be reasonably guessed. A nonce is used when logging in to a server. The server gives you nonce and you combine it with your password hash. This is so each password hash is different which makes it so an attacker can't do a replay attack bc the nonce cant be used again. You get a different nonce each time you log in, so capturing the hash does nothing.

Cross-site scripting

XSS- A malware that uses a javascript vulnerability in old browsers and in website applications. non-persistent (reflected xss)- A website that allows scripts to be run in input fields such as a search bar. Say if you entered you cc number in a field, the script would automatically send session and cookie information information to the attacker. This makes it so the attacker can log in as you without a user or pw bc the session indicates that they were already signed in. The user has to click a very specific link for the reflected xss to work. This is more specific as it only targets one person,

vulnerbility databases

a compilation of vulnerbility data that is compiled and shared to everyone. one popular one is the common vulnerability and exposures database. CVE which is sponsored by the dep of homeland security and the cybersecurity and infrastucture security agency CISA.

APT

advanced persistent threat- attackers in the network undetected.

adware

advertisememnts that may make you computer slow and makes you see lots of advertisements. Some adware can pretend to be AV but is actaully adware. Spyware gathers information on you, by gathering information where you visit, often done through trojan horse. May record key stroaks. attackers make money from forcing users to watch ads. especially if lots of people were infected.

API attack

application programming interface attack is when attackers manipulate the api to get elevated access or cause a denial of service. API is usually running on a mobile phone. API requests and responses are used instead of say a http GET and http response message of a traditional application.

Credential harvesting

attacks get your login credentials that your browser stores. like chrome and firefox, broswers all store credentials in different ways. they often send an emil with attatchment that with a word documen with a macro that runs a script automatically downlaods the credentials using credential harvesting malware.

social engineering principles

authority, claim to be a high ranking person intimidation there will bad things if you dont help. like a late fee. consesus/social proof- your coworker just did this for them last week so you should be able to do it for them this week. Bill didnt ask for my credentials last time why should you? Scarcity- The situation is time sensitive and you must act now b4 time runs out. Urgency-quickly make the chsange right now similr to scarcity. tries to get you to act right away without thinking. Familiarity/liking- they act like your buddy asnd may talk about people you know; which they could have found through your fscebook friends list. "Since we both know matt its ok for you to do this for me." Trust- might say theyre from IT they want you to trust them One example is an attacker used social engineering to steal the 50k twitter username @N from user naoki hiroshima

cloud based vs on site/premise security

cloud based sec- centralized and less costly. no need for dedicated hardware or data center to secure on site. The cloud provider handles everything. attackers can not physically get into your server room and mess things up if its in a cloud. Security updates and signatures are managed by the cloud provider. Cloud tends to have more uptime and availability. upgrades may not be as customizable but are usually one click away. on site/premise- burden of sec is on the client. Client has have their own hardware and pay and maintain their own security. You have full control of everything. IT team can manage sec better. however the staff may be expensive. The local team can manage the sec uptime and availability; so you dont have to call any 3rd parties. However changes to security can take time including configuring new equipment which may inlcude additional costs. The cloud based sec model would probably just be clicking a few buttons for sec changes and updates.

public file/code repositories

contains public code. sometimes private code may be relesed publically by mistake which the hackers could then use. they would use the code to find vulnerabilities or in future phising attacks

Botnet

controlled by a C2 or C&C command and control server. C2 sends one command and all bots follow it. Your computer acts a bot alongside other bots making up a botnet. Used for Ddos attacks. They can proxies or relays for spam. The pc is a bot bc it obeys commands automatically. watch netowkr for unusual traffic. use IDS IPS. Block the commands from C2 at the firewall. Malwarescan can find a botnet in progress.

password attacks

dont store passwords as plain texts, where attackers could see it. Apllications may store the passwords as plain text. Store passwords with a hash. A collision is when two hashes have the same hash but are different when encrypted. The SHA-256 encrypts. Spraying attack, avoids typing in the same password and being locked out but triess very common passwords such as 1234567 and qwerty. They only try 2 attempts in order to not lock out the account. Brute force- if the attacker gets the hash of a password, they will try every single combination of letters until they can match the hash offline to avoid being locked out. the offline attack uses the password file they dowloaded. dictionary attack- a list of common passwords and may include passwords that substiute letters. GPU can calculate the password. Raibow table- After an attacker does a brute force, instead of running a brute force again and starting at AAAA, it will save all the hashes it created last time. In hopes that one of the daved hashes matches the desired one. These pre-calculated hashes saves time and storage. May function as an instantaneuos lookup, however each OS or algo may make hashes different, so the table may have to be re made. Salted hash- a little bit of random data added to a hash. So if two users have the same password, they wont have the same hash due to the random data. Therefore rainbow tables will not work. The attacker would then need to know how the salt was created. haveibeenpwned.com- lets you know if your username and password was released.

privilege escalation

horizontal PE is when an attacker hacks pc 1 to look at resources on pc 2. PE is getting admin rights on an account that shouldn't have them, or when a person gets access to an admin account they're not authorized to have. Use anti malware/virus and patch and updates. data execution prevention- applications can only run in certain areas of memory where that function is allowed. Address space layout randomization- OS will randomize where information is stored in memory. This way if attacker hacks a pc he can not use the same method for two pcs bc of the randomness. This prevents a buffer overflow at a known memory address

IOC

indicator of compromise- an event that indicates and intrusion. indicators may be high network activity, change to file hash values, irregular international network traffic, changes to dns, uncommon log in files, spikes of read requests to certain files.

public/private information sharing centers

information can be shared publically or by a private company. The sharing of this information needs to be quick, secure, and up to date. Bc it may contain classified information

IV Salt

initialization vector (IV)- a type of nonce used for randomizing an encryption scheme, the more random the better. The IV is added to an encryption key like wep which makes it stronger salt- a nonce commonly associated with password randomization. password stoarage should always be salted, so that even if users have the same password the salt makes them look different.

Malware

malicious software. may record keystrokes, turn your pc into bot, adware is malware that shows advertisements on your computer. Malware can be used to download other malware. never click links in email messages. pop up messges may try to get you to click links. a drive by downlad happens when you visit a site that automstically downloads malware.

Threat intelligence

research and data about threats used by resaercerhers and sec teams

competitors

other companies that try to harm yours through DoS, espinage, and harm your reputation. Well funded and sophisticated.

Predictive analysis threat maps

predicts when a compromise might happen. Such as high number of dns queries, traffic patterns, international traffic,. yiu may be able to predict an attack and set up more sec for these systems. A very large amount of data, that has less emphasis on specific things like signatures. threat maps- a visual map of attacks and trends most viewable on the internet. made from real time data pulled from many different sources.

injection attacks

putting code into a field. SQL injection is used to attack database applications. XML injection extensible markup language- rules for storage. LDAP injection- may store information about devices or user is the lightweight directory protocol DLL injection dynamic link library- DLL is a windows library containing code and data used by many apllications. The injection would have one of these applications execute the injected code for us.

Wirelless Attack vectors

rogue AP. Evil twin. On path attack. Protocol vulnerabilities like WEP, WPA and the WPA2 key reinstallation attack (KRACK).

Rootkit

root is the admin account of a linux system which is where it gets its name from. It will modify files in the kernal of the OS which are the foundation of the OS that everyhting relies on. It is nearly invisible to AV and AM. If there was malware it may deny access to prevent you from deleting malware. Use the newer UEFI bios with secure boot, this will make sure the core OS files have not been changed, and if they hve changed the computer will not boot.

logic bomb

starts when a certain event occures. May be a time bomb that happens at a certain time. The bomb waits until it is triggered by a specific event. AV and AM can not see it with signatures. May be left by a disgruntled employee or malicious insider. There is no known signatures to identify logic bombs. Allow a proccess for change control. If a change happens without the proccess it may indicate a logic bomb. Set up alerts to when changes happen.

Threat actors

the entity responsible for an event that has impact on the safety of another entity. Also called malicious actor. can be insiders, nation states. A hacktivist is a hacker that has a political or social purpose. Script kiddies run other people scripts. Organized crime is sophisticated and well funded.

ransomware cryptomalware

they lock your computer and then ask for money for it to be unlocked. early ransom ware was just a hoax. cryptomalware encrypts all of your information and they ask you for money for it to be decrypted. using public key crptography. Keep a backup of all your data, preferably not online or accesible from the pc itself, bc the backup could be encrypted as well. Make sure patches and updates are installed so exploits in code cant be used on your pc.

trojans RAT

trojans pretends to be one program but is aactually mlicious software, like a game that is malware. May disable all your security tools and may download more malware snd instal backdoors. They often downlaod a PUP which is a potentially unwanted program. It may slow your computer, like a really annoying browser toolbar such as yahoo that is very hard to uninstall. It may change your search engine. A backdoor is way to get into your esily without having to have you click links or log in as you. The same backdoor can be used by other types of malware. Some software has built in backdoors. RAT remote access trojan or remote authentication tool is a backdoor that gives an attack nearly complete control of you OS remotely. logs for suername and passwords, may take screenshots, copy files, download more malware. transfer files run scripts. Dont click links and make sure everything is up to date and backed up.

Spam spim

unsolicited messages that are often advertisements or self promotion. Spam can also be used for phishing to get your information. Spam can also attempt to promote a particular worldview. SPIM is spam over instant message. One way to prevent spam is to set up a mail gateway dmz/screenedsubnet in front of your internal mail server with a firewall in between. Any spam will be discarded by the mail gateway. The filter in the gateway may use an ACL that only allows certain recipents to receive mail or send mail. It may also block mail that doesnt follow SMTP and RFC standards. Reverse rDNS could be used to block mail whose IP does not match the domain name associted with it. Tarpitting slows down the mail server and makes the send and receive take a long time. this will slow the spammers mail server so they may just skip over you instead of waiting. ACL my automatically block all except for certain allowed e mail addresses.

Virus Worms

virus can reproduce itself but needs the user to execute a program. A worm does not require the user to execute a program to clone itself, it does so automatically. worm can jump from machine to machine and across the network. May encrypt files, delete files etc. Keep signatures and anti-virus updated. prgram virus- is part of an application boot sector- in the boot sector of youre storage device that activates when your computer boots script virus- may be browser based or in the OS Macro virus- a virus running inside of another application usually other microsoft office apps. Fileless virus- never instals or saves itself as a virus on your system in order to avoid detection by AV. It stays inside or RAM and is never installed inside of the computer. Usually spread by clicking a link on a website or on e-mail then donwlaods software that runs as a flash, java, or windows vulnerability. Which may allow a script to run in powershell. They may add an auto start the virus on the registry everytime you boot the computer. Worm spread across the network and spreads quickly without user intervention in a short period of time. firewalls and IDS/IPS can stop worms if we have a signature for it. The wannacry worm installed cryptomalware using n exploit in microsoft SMB v1 using a worm called eternal blue. which then downlaoded the pulsr crypto maslware. All without any human intervention.