Security + Threats, Attack and Vulnerabilities
True
T/F It is generally a bad practice to run software after the vendor's end of life.
- Adware - Spyware - Ransomware
TYPES OF MALWARE PAYLOADS (independent programs) :
Window vulnerability
The time between the discovery of a zero-day vulnerability and the release of a security update
propagation mechanism
The way that a malware object spreads.
- christmas tree attacks - DNS and ARP poisoning
Type of network attacks
- viruses - worms - trojan horse
Types of malware propagation techniques
Trojan horses
* Disguise themselves and legitimate programs with a hidden malicious effect * sometimes act as advertised when they run but deliver malicious payload behind the scenes * arrive on systems when users install software
Viruses
* Spread by human action
Worms
* Spread by themselves * exploit system vulnerabilities * once one has effected the system it uses that system as a new base for spreading on the network
REMOTE ACCESS TROJANS
* provide backdoors to hacked systems * provide hackers with the ability to remotely access and control infected systems
packets
- are the basic unit of network communications - carry a data payload that must include header information that includes the source and destination addresses
Man-in-the-browser
- attacker compromises the user's web browser or browser plug in to gain access to web communications
- Advanced persistent threats:
- attackers that are well funded and highly skilled - are typically government sponsored - persistent because they a methodically working to gain access to a highly selective set of targets with military or economic value
Denial of service attacks
- is an attack that makes a system or resource unavailable to legitimate users sending thousands or million requests to a server overwhelming it and making it unable to answer legitimate requests
flags
- part of a packet header that has single bit fields that contain either a 1 or 0
Man in the Middle Attacks
- the attacker tricks the sending system during the initial communication - the attacker receives the requests from the user, passes them on to the server, then receives the real responses, reads them, and then replays them to the original user
- propagation mechanism - payload
2 components of malware
- man in the middle attacks - replay attacks
2 types of eavesdropping attacks
Distributed Denial of Service
A denial of service attack that leverages a botnet to overwhelm a target, uses botnets to overwhelm the target the attack requests come from all over the place so its hard to distinguish them from legitimate requests
intimidation
A social engineer calls an administrative assistant in your organization and obtains her password by threatening her that her boss' account will be deleted if she does not provide the password to assist with troubleshooting. What type of attack is the social engineer using?
root account
A special superuser account that provides unrestricted access to system resources - normally reserved for system administrators
Zero-day vulnerability
A vulnerability in a product that has been discovered by at least one researcher but has not yet been patched by the vendor
try....catch
What Java clause is critical for error handling?
Christmas tree
What attack uses carefully crafted packets that have all available option flags set to 1?
' (apostrophe)
What character is essential in input for a SQL injection attack?
memory leak
What condition occurs when a software package fails to release memory that it reserved for use?
shredders
What is the most effective tool to use against dumpster diving attacks?
Polymorphism
What technique does some malware use to modify itself each time it infects a new system to avoid signature detection systems?
session tokens
What technique is useful in preventing replay attacks?
KARMA
What toolkit enables attackers to easily automate evil twin attacks?
known plaintext attack
What type of attack is possible when the attacker has access to both an encrypted and unencrypted version of a single message?
Buffer Overflow
What type of attack seeks to write data to areas of memory reserved for other purposes?
logic bomb
What type of malware delivers its payload only after certain conditions are met, such as specific date and time occurring?
cookie
What type of object must a hacker typically access in order to engage in a session hijacking attack?
ICMP echo request
What type of packet do participating systems send during a Smurf attack?
whaling
What type of phishing attack focuses specifically on senior executives of a targeted organization?
site trusted by the end user
What type of website does the attacker use when waging a watering hole attack?
directory traversal attack
Alan is analyzing his web server logs and sees several strange entries that contain strings similar to "../../" in URL requests. What type of attack was attempted against his server?
WPA2
Beth is creating a new wireless network for her organization and wants to protect against eavesdropping attacks. What encryption technology should she use to protect the network?
Ransomware
Blocks a users legitimate use of computer or data till a ransom is paid by encrypting files with a secret key and selling key for ransom
Bluesnarfing Attack
Chris is attending a hacker convention and overhears someone talking about "force pairing" a mobile device. What type of attack is the individual discussing?
- confidentiality - integrity - availability
Cia triad
ransomware
Cryptolocker is an example of what type of malicious software?
IRC
Which of the following is a common command-and-control mechanism for botnets?
rainbow table
Dan is engaging in a password cracking attack where he uses precomputed hash values. What type of attack is Dan waging?
- build a strong security foundation - implement strong encryption - rigorous monitoring
Defending against APTS
8
How many digits are allowed in a Wi-Fi Protected Setup (WPS) PIN?
- perform background checks to uncover past legal issues - give users only the permissions that they need - require multiple users to carry out sensitive operations - implementing mandatory vacation policy for critical staff
How to protect against insider threats
black box
In a ________ penetration test, the attacker has no prior knowledge of the environment.
Spyware
Malware that gathers information w/o users knowledge or consent then report the information to the malware author
- backdoors -logic bombs
Malwares that are pieces of codes inserted into other applications with malicious intent
war driving
Renee notices a suspicious individual moving around the vicinity of her company's buildings with a large antenna mounted in his car. Users are not reporting any problems with the network. What type of attack is likely taking place?
attack surface review
Ricky is preparing a threat assessment and works to identify all of the possible avenues of attack against a system. What technique is he using?
firewalls
Which one of the following controls is not particularly effective against the insider threat? a. firewalls b. background checks c. least privilege d. separation of duties
sandbox execution
Which one of the following is not a significant risk associated with browser add-ons and extensions? a. overly broad permissions b. sandbox execution c. malicious author d. resale of legitimate extensions
conduct cross site scripting
Which one of the following is not a standard application hardening technique? a. encrypt sensitive information b. conduct cross site scripting c. validate user input d. apply security patches promptly
Network Segmentation
Which one of the following is not an effective defense against XSRF attacks? a. user education b. automatic logouts c. preventing the use of HTTP Get requests d. network segmentation
SQL injection flaws
Which one of the following issues is not generally associated with the use of default configurations? a. vendor-assigned passwords b. SQL injection flaws c. open ports d. extraneous services running
protocol analyzer
Wireshark is an example of a ______ tool.
Domain Name Service
a service that translates common domain names into ip addresses for the purpose of network routing
typo squatting
an attack that consists of registering domain names similar to official sites, hoping that users will make a typo and visit their site.
eavesdropping attacks
an attacker can gain physical or logical access to the network and eavesdrop on communication between two systems - rely on a compromised communications path between a client and server
script kiddies
are unskilled attackers who simply reuse hacking tools developed by other sophisticated hackers
Christmas tree attack
attack when all packet header flags are set to 1
surf attack
attacker sends echo requests to broadcast addresses of 3rd party servers using a forged source address
Domain hijacking
attacks attempts to steal a legitimate domain
user education
best way to protect viruses
keeping systems updated OS and patches
best way to protect worms
Polymorphism viruses
changing their own code to avoid signature detection ,using encryption with a different key on each infected system
Threat intelligence
consists of the set of activities that an organization undertakes to educate itself about changes in the cybersecurity threat landscape, and adapt security controls based upon that information
DNS poisoning attacks
disrupts the normal operation of DNS by providing false results
Open-source intelligence
gathering information from freely available public sources
they use indirect command and controls such as: - internet relay chats - twitter accounts - peer to peer within the botnet
how do hackers that manage botnets hide their true locations
* Hardcoded accounts * Default passwords * Unknown access channels
how does backdoor occur?
implement blocking technology on the network that identifies and weeds out suspected attack traffic before it reaches servers
how to defend against DoS
- regular patching - firewalls - end-point security software - intrusion preventions system
how to easily defeat script kiddies
application control solutions
how to protect against trojan horses
* routinely change default password * disable unused accounts * monitor security bulletins for news of logic bombs and backdoors for applications your organization uses
how to protect from backdoors and logic bombs
- encryption, - secure network configuration - strong authentication mechanisms
how to protect from eavesdropping attacks
signature detection
identifying viruses by detecting known code patterns from a database
Armored viruses
implement techniques designed to defeat reverse engineering, use techniques to hide themselves from virus detection mechanisms
logic bombs
is malware that is set to execute a payload when certain conditions are met, works by modifying existing code
Adware
malware that has a specific purpose of displaying advertisements
Botnets
network of infected machines used for malicious purposes
Ping command
network request that send a packet known as an echo request to a system, the one that receives an echo request then sends an echo reply
backdoors
occurs when a programer provides a means to grant themselves or other future access to a system
- to steal their computing power - storage - network connectivity
one of the most common reasons hackers take over systems
user mode rootkits
rootkits that run with normal user privileges and are easy to write and difficult to detect
Kernel Mode Rootkits
run with system privileges and are difficult to write and easy to detect
Hacktivists
seek to use hacking tools to advance political or social agenda
Organized crime groups
seeks to use hacking tools, such as ransomware. for financial gain
ARP Poisoning
spoofing technique that provides false information in responser to ARP requests - only works on a local network
Amplified DDoS Attack:
the attacker can then send very small requests over his or her network connection that generates very large replies over the third party's network connection
Amplification factor
the degree to which the attack increases in size
payload
the malicious action that the malware performs
1. Anti-malware software 2. security patches 3. educating end users
top ways of preventing malware
address resolution protocol
translates IP addresses to the hardware (mac) addresses used on local area networks
rootkits
used to describe software techniques that are designed to hide other software on a system for malicious reasons
replay attacks
uses previously captured data such as encrypted authentication token to create a separate connection to the server that is authenticated but does not involve the real end user
encryption
what prevents eavesdropping attacks