CompTIA Security+ SYO-601 Post-Assessment Quiz

Social engineering psychological approaches often involve: - impersonation, - phishing, - redirection, - spam, - hoaxes, and - watering hole attacks. To impersonate real people, the threat actor must know as much about them as possible to appear genuine. This type of reconnaissance is called credential harvesting and is typically carried out by Internet and social media searches. The word phishing is a variation on the word "fishing," to reflect the idea that bait is thrown out knowing that while most will ignore it, some will bite. Whereas at one time phishing messages were easy to spot due to misspelled words and obvious counterfeit images, that is no longer the case. One reason that phishing is so successful today is that emails and fake websites are difficult to distinguish from legitimate ones: logos, color schemes, and wording seem to be almost identical. Spim: is spam delivered through instant me

Impersonation: masquerading as a real or fictitious character and then playing the role of that person with a victim. Sometimes the goal of the impersonation is to obtain private information (pretexting). Phishing: One of the most common forms of social engineering is phishing. Phishing is sending an email message or displaying a web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information or taking action. Redirection: Threat actors can use tactics to redirect the user to malicious websites. Typosquatting, BitSquatting & pharming are examples. Spam: an unsolicited email that is sent to a large number of recipients. Users receive so many spam messages because sending spam is lucrative. It costs spammers very little to send millions of spam email messages. Hoaxes: A hoax is a false warning, often contained in an email message that instructs the recipient to change configurations, or erase files, and then forward the message to other users. However, changing configurations allows an attacker to compromise the system. And erasing files may make the computer unstable, prompting the victim to call the phone number in the hoax email message for help, which is actually the phone number of the attacker. Watering Hole Attack: an attack that is directed toward a smaller group of specific individuals, such as the major executives working for a manufacturing company. These executives all tend to visit a common website, such as that of a parts supplier to the manufacturer. An attacker who wants to target this group of executives tries to determine the common website that they frequent and then infects it with malware that will make its way onto the group's computers.

Types of Passive Reconnaissance:

Passive reconnaissance techniques: · OSINT. Open-source intelligence (OSINT) is a reconnaissance that uses publicly available information. ... · Footprinting (passive version) ... · Social engineering. ... · Footprinting (active version) ... · War driving. ... · Drones and UAVs.

Potentially Unwanted Program (PUP)

Potentially Unwanted Program (PUP) A broad category of software that is often more annoying than malicious is called potentially unwanted programs (PUPs). A PUP is software that the user does not want on their computer. PUPs often become installed along with other programs and are the result of the user overlooking the default installation options on software downloads. PUPs may include software that is pre-installed on a new computer or smartphone and cannot be easily removed (if at all). Other examples of PUPs are advertising that obstructs content or interferes with web browsing, pop-up windows, pop-under windows, search engine hijacking, home page hijacking, toolbars with no value for the user, and settings that redirect to competitors' websites, alter search results, and replace ads on webpages. The term PUP was created by an Internet security company because marketing firms objected to having their products being called "spyware."

SIEM

Security Information and Event Management (SIEM) consolidates real-time security monitoring and management of security information with analysis and reporting of security events. A SIEM product can be a separate device, software that runs on a computer, or even a service provided by a third party. The starting point of a SIEM is the data input. Data feeds into a SIEM are the standard packet captures of network activity and log collections. Because of the numerous network devices producing logs, SIEMs also perform log aggregation. SIEMs can also perform sentiment analysis. Sentiment analysis is the process of computationally identifying and categorizing opinions, usually expressed in response to textual data, to determine the writer's attitude toward a particular topic. In other words, sentiment analysis is the interpretation and classification of emotions (positive, negative, and neutral) within text data using text analysis techniques. Sentiment analysis has been used when tracking postings threat actors make in discussion forums with other attackers to better determine the behavior and mindset of threat actors. This type of information can be valuable in determining their goals and actions and has even been used as a predictive power to alert against future attacks.

SOAR

Security Orchestration, Automation, and Response (SOAR) is similar to a SIEM in that it is designed to help security teams manage and respond to security warnings and alarms. SOARs take it a step further by combining more comprehensive data gathering and analytics to automate incident response. While a SIEM tends to generate more alerts than a security team may be able to respond to, a SOAR allows a security team to automate incident responses.

Variations of Redirection Attacks

Typo Squatting: Fake lookalike sites filled with ads for which the attacker receives money for traffic generated to the site, located on a URL similar to popular sites. These fake sites exist because attackers purchase the domain names of sites that are spelled similarly to actual sites. A well-known site such as google.com may have to deal with more than 1,000 typo squatting domains. Bit Squatting: In addition to registering names similar to the actual names (like goggle.com for google.com), threat actors are registering domain names that are one bit different. The billions of devices that are part of the Internet have multiple instances of a domain name in a domain name server (DNS) memory at any time, increasing the likelihood of a RAM memory error that involves a bit being "flipped." An increasing number of registered attacker domains are the result of bitsquatting, such as aeazon.com (for amazon.com) and microsmft.com (for microsoft.com). Security researchers found that 20 percent of a sample of 433 registered attacker domains were the result of bitsquatting. Pharming: attempts to exploit how a URL such as www.cengage.com is converted into its corresponding IP address 69.32.308.75. A threat actor may install malware on a user's computer that redirects traffic away from its intended target to a fake website instead. Another technique is to infect a DNS that would direct multiple users to inadvertently visit the fake site.

Variations on phishing attacks: (4) Phishing continues to be a primary weapon used by threat actors. It is considered to be one of the largest and most consequential cyber threats facing both businesses and consumers. During the third quarter of 2019, phishing attacks increased by 46 percent from the previous quarter and almost doubled the number recorded during the fourth quarter of the previous year. One nation saw a 232 percent increase in phishing during 2019. It is estimated that these trends will continue.

Variations on phishing attacks: · Spear phishing: spear phishing targets specific users. The emails used in spear phishing are customized to the recipients, including their names and personal information, to make the message appear legitimate. · Whaling. One type of spear phishing. Instead of going after the "smaller fish," whaling targets the "big fish"—namely, wealthy individuals or senior executives within a business who typically have large sums of money in a bank account that an attacker could access if the attack is successful. By focusing on this smaller group, the attacker can invest more time in the attack and finely tune the message to achieve the highest likelihood of success. · Vishing. Instead of using email to contact the potential victim, attackers can use phone calls. The victim is instructed to call a specific phone number immediately (which has been set up by the attacker). When the victim calls, it is answered by automated instructions telling her to enter her credit card number, bank account number, Social Security number, or other information on the phone's keypad. · Smishing. A variation on vishing uses short message service (SMS) text messages and callback recorded phone messages. The threat actors first send a text message to a user's cell phone that pretends to come from their bank saying that their account has been broken into or their credit card number has been stolen. Along with the text message is a callback telephone number the customer is instructed to call immediately

Type of System Vulnerabilities (5)

Vulnerabilities: A vulnerability is defined as the state of being exposed to the possibility of being attacked or harmed. Cybersecurity vulnerabilities can be categorized into: · platforms, · configurations, · third parties, · patches, · and zero-day vulnerabilities.

Types of Social Engineering techniques Because many of the psychological approaches involve person-to-person contact, attackers use a variety of techniques to gain trust. For example:

· Provide a reason. Many social engineering threat actors are careful to add a reason along with their request. Giving a *rationalization* and using the word "because" makes it more likely the victim will provide the information. For example, I was asked to call you because the director's office manager is out sick today. · Project confidence. A threat agent is *unlikely to generate suspicion if she enters a restricted area by calmly walking* through the building as if she knows exactly where she going (without looking at signs, down hallways, or reading door labels) and even greeting people she sees with a friendly Hi, how are you doing? · Use evasion and diversion. When challenged, threat agents might evade a question by giving a vague or irrelevant answer. They could also feign innocence or confusion, or keep denying allegations, until the victim eventually believes his suspicions are wrong. *Sometimes a threat agent can resort to anger and cause the victim to drop the challenge.* Who are you to ask that? Connect me with your supervisor immediately! · Make them laugh. Humor is an excellent tool to put people at ease and to develop a sense of trust. I can't believe I left my badge in my office again! You know, some mistakes are too much fun to make only once!

Social Engineering Effectiveness (7) Social engineering is a means of eliciting information (gathering data) by relying on the weaknesses of individuals. Information elicitation may be the goal of the attack, or the information may then be used for other attacks. Social engineering is also used as influence campaigns to sway attention and sympathy in a particular direction. These campaigns can be found exclusively on social media (social media influence campaign) or may be combined with other sources (hybrid warfare influence campaign). Social engineering attacks usually rely on psychological principles. They also can involve physical procedures. Social engineering is one of the most successful types of attack and it does not even exploit technology vulnerabilities.

1- Authority: To impersonate an authority figure or falsely cite their authority. Example: "I'm the CEO calling." 2- Intimidation: To frighten and coerce by threat. Example: "If you don't reset my password, I will call your supervisor." 3- Consensus: To influence by what others do. Example: "I called last week, and your colleague reset my password." 4- Scarcity: To refer to something in short supply. Example: "I can't waste time here." 5- Urgency: To demand immediate action. Emaple: "My meeting with the board starts in five minutes." 6- Familiarity: To give the impression the victim is well-known and well-received. Example: "I remember reading a good evaluation on you." 7- Trust: To inspire confidence. Example: "You know who I am."

Types of Configuration Vulnerabilities (7)

1- Default settings: Default settings are predetermined by the vendor for usability and ease of use (not for security) so the user can immediately begin using the product Example: A router comes with a default password that is widely known. 2- Open ports and services: Devices and services are often configured to allow the most access so that the user can close ports that are specific to that organization. Example: A firewall comes with FTP ports 20 and 21 open. 3- Unsecured root accounts: A root account can give a user unfettered access to all resources. Example: A misconfigured cloud storage repository could give any user access to all data. 4- Open permissions: Open permissions are user access over files that should be restricted. Example: A user could be given Read, Write, and Execute privileges when she should have only Read privileges. 5- Unsecure protocols: Also called insecure protocols, this configuration uses protocols for telecommunications that do not provide adequate protections. Example: An employee could use devices that run services with unsecure protocols such as Telnet or SNMPv1. 6- Weak encryption: Users choosing a known vulnerable encryption mechanism. Example: A user could select an encryption scheme that has a known weakness or a key value that is too short. 7- Errors: Human mistakes in selecting one setting over another without considering the security implications. Example: An employee could use deprecated settings instead of current configurations.

Features of SIEM Systems

A SIEM typically has the following features: · Aggregation. SIEM aggregation combines data from multiple data sources—such as network security devices, servers, and software applications—to build a comprehensive picture of attacks. · Correlation. The SIEM correlation feature searches the data acquired through SIEM aggregation to look for common characteristics, such as multiple attacks coming from a specific source. · Automated alerting and triggers. SIEM automated alerting and triggers can inform security personnel of critical issues that need immediate attention. A sample trigger may be Alert when a firewall, router, or switch indicates 40 or more drop/reject packet events from the same IP source address within 60 seconds. · Time synchronization. Because alerts occur over a wide spectrum of time, SIEM time synchronization can show the order of the events. · Event duplication. When the same event is detected by multiple devices, each generates an alert. The SIEM event duplication feature can help filter the multiple alerts into a single alarm. · Logs. SIEM logs or records of events can be retained for future analysis and to show that the enterprise has been in compliance with regulations.

Penetration Testing Levels

Black box: Testers have no knowledge of the network and no special privileges. The main task is to attempt to penetrate the network. The main advantage of this type of test is that it allows testers to emulate exactly what a threat actor would do and see. The biggest disadvantage is that if testers cannot penetrate the network, then no test can occur. Gray box: Testers are given limited knowledge of the network and some elevated privileges. The main task is to focus on systems with the greatest risk and value to the organization. The main advantage of this test is that it allows testers to more efficiently assess security instead of spending time trying to compromise the network and then determining which systems to attack. The main disadvantage is that this head start does not allow testers to truly emulate what a threat actor may do White box: Testers are given full knowledge of the network and the source code of applications. The main task is to identify potential points of weakness. The main advantage of this test is that it allows testers to focus directly on systems to test for penetration. The main disadvantage is that this approach does not provide a full picture of the network's vulnerabilities

Social Engineering: Physical Procedures While some social engineering attacks rely on psychological manipulation, other attacks rely on physical acts. These attacks take advantage of user actions that can result in compromised security. Three of the most common physical procedures are: - dumpster diving, - tailgating, and - shoulder surfing.

Dumpster Diving Dumpster diving involves digging through trash receptacles to find information that can be useful in an attack. Table 1-5 lists the different items that can be retrieved—many of which appear to be useless—and how they can be used. An electronic variation of physical dumpster diving is to use the Google search engine to look for documents and data posted online that can be used in an attack. This is called Google dorking, and it uses advanced Google search techniques to look for information that unsuspecting victims have carelessly posted on the web. Tailgating: Once an authorized person opens the door, one or more individuals can follow behind and also enter. This is known as tailgating. Shoulder Surfing: this technique can be used in any setting that allows an attacker to casually observe someone entering secret information, such as the security codes on a door keypad. Attackers are also using webcams and smartphone cameras to "shoulder surf" users of ATM machines to record keypad entries.