Security + Threats, Attack and Vulnerabilities

True

T/F It is generally a bad practice to run software after the vendor's end of life.

- Adware - Spyware - Ransomware

TYPES OF MALWARE PAYLOADS (independent programs) :

Window vulnerability

The time between the discovery of a zero-day vulnerability and the release of a security update

propagation mechanism

The way that a malware object spreads.

- christmas tree attacks - DNS and ARP poisoning

Type of network attacks

- viruses - worms - trojan horse

Types of malware propagation techniques

Trojan horses

* Disguise themselves and legitimate programs with a hidden malicious effect * sometimes act as advertised when they run but deliver malicious payload behind the scenes * arrive on systems when users install software

Viruses

* Spread by human action

Worms

* Spread by themselves * exploit system vulnerabilities * once one has effected the system it uses that system as a new base for spreading on the network

REMOTE ACCESS TROJANS

* provide backdoors to hacked systems * provide hackers with the ability to remotely access and control infected systems

packets

- are the basic unit of network communications - carry a data payload that must include header information that includes the source and destination addresses

Man-in-the-browser

- attacker compromises the user's web browser or browser plug in to gain access to web communications

- Advanced persistent threats:

- attackers that are well funded and highly skilled - are typically government sponsored - persistent because they a methodically working to gain access to a highly selective set of targets with military or economic value

Denial of service attacks

- is an attack that makes a system or resource unavailable to legitimate users sending thousands or million requests to a server overwhelming it and making it unable to answer legitimate requests

flags

- part of a packet header that has single bit fields that contain either a 1 or 0

Man in the Middle Attacks

- the attacker tricks the sending system during the initial communication - the attacker receives the requests from the user, passes them on to the server, then receives the real responses, reads them, and then replays them to the original user

- propagation mechanism - payload

2 components of malware

- man in the middle attacks - replay attacks

2 types of eavesdropping attacks

Distributed Denial of Service

A denial of service attack that leverages a botnet to overwhelm a target, uses botnets to overwhelm the target the attack requests come from all over the place so its hard to distinguish them from legitimate requests

intimidation

A social engineer calls an administrative assistant in your organization and obtains her password by threatening her that her boss' account will be deleted if she does not provide the password to assist with troubleshooting. What type of attack is the social engineer using?

root account

A special superuser account that provides unrestricted access to system resources - normally reserved for system administrators

Zero-day vulnerability

A vulnerability in a product that has been discovered by at least one researcher but has not yet been patched by the vendor

try....catch

What Java clause is critical for error handling?

Christmas tree

What attack uses carefully crafted packets that have all available option flags set to 1?

' (apostrophe)

What character is essential in input for a SQL injection attack?

memory leak

What condition occurs when a software package fails to release memory that it reserved for use?

shredders

What is the most effective tool to use against dumpster diving attacks?

Polymorphism

What technique does some malware use to modify itself each time it infects a new system to avoid signature detection systems?

session tokens

What technique is useful in preventing replay attacks?

KARMA

What toolkit enables attackers to easily automate evil twin attacks?

known plaintext attack

What type of attack is possible when the attacker has access to both an encrypted and unencrypted version of a single message?

Buffer Overflow

What type of attack seeks to write data to areas of memory reserved for other purposes?

logic bomb

What type of malware delivers its payload only after certain conditions are met, such as specific date and time occurring?

cookie

What type of object must a hacker typically access in order to engage in a session hijacking attack?

ICMP echo request

What type of packet do participating systems send during a Smurf attack?

whaling

What type of phishing attack focuses specifically on senior executives of a targeted organization?

site trusted by the end user

What type of website does the attacker use when waging a watering hole attack?

directory traversal attack

Alan is analyzing his web server logs and sees several strange entries that contain strings similar to "../../" in URL requests. What type of attack was attempted against his server?

WPA2

Beth is creating a new wireless network for her organization and wants to protect against eavesdropping attacks. What encryption technology should she use to protect the network?

Ransomware

Blocks a users legitimate use of computer or data till a ransom is paid by encrypting files with a secret key and selling key for ransom

Bluesnarfing Attack

Chris is attending a hacker convention and overhears someone talking about "force pairing" a mobile device. What type of attack is the individual discussing?

- confidentiality - integrity - availability

Cia triad

ransomware

Cryptolocker is an example of what type of malicious software?

IRC

Which of the following is a common command-and-control mechanism for botnets?

rainbow table

Dan is engaging in a password cracking attack where he uses precomputed hash values. What type of attack is Dan waging?

- build a strong security foundation - implement strong encryption - rigorous monitoring

Defending against APTS

8

How many digits are allowed in a Wi-Fi Protected Setup (WPS) PIN?

- perform background checks to uncover past legal issues - give users only the permissions that they need - require multiple users to carry out sensitive operations - implementing mandatory vacation policy for critical staff

How to protect against insider threats

black box

In a ________ penetration test, the attacker has no prior knowledge of the environment.

Spyware

Malware that gathers information w/o users knowledge or consent then report the information to the malware author

- backdoors -logic bombs

Malwares that are pieces of codes inserted into other applications with malicious intent

war driving

Renee notices a suspicious individual moving around the vicinity of her company's buildings with a large antenna mounted in his car. Users are not reporting any problems with the network. What type of attack is likely taking place?

attack surface review

Ricky is preparing a threat assessment and works to identify all of the possible avenues of attack against a system. What technique is he using?

firewalls

Which one of the following controls is not particularly effective against the insider threat? a. firewalls b. background checks c. least privilege d. separation of duties

sandbox execution

Which one of the following is not a significant risk associated with browser add-ons and extensions? a. overly broad permissions b. sandbox execution c. malicious author d. resale of legitimate extensions

conduct cross site scripting

Which one of the following is not a standard application hardening technique? a. encrypt sensitive information b. conduct cross site scripting c. validate user input d. apply security patches promptly

Network Segmentation

Which one of the following is not an effective defense against XSRF attacks? a. user education b. automatic logouts c. preventing the use of HTTP Get requests d. network segmentation

SQL injection flaws

Which one of the following issues is not generally associated with the use of default configurations? a. vendor-assigned passwords b. SQL injection flaws c. open ports d. extraneous services running

protocol analyzer

Wireshark is an example of a ______ tool.

Domain Name Service

a service that translates common domain names into ip addresses for the purpose of network routing

typo squatting

an attack that consists of registering domain names similar to official sites, hoping that users will make a typo and visit their site.

eavesdropping attacks

an attacker can gain physical or logical access to the network and eavesdrop on communication between two systems - rely on a compromised communications path between a client and server

script kiddies

are unskilled attackers who simply reuse hacking tools developed by other sophisticated hackers

Christmas tree attack

attack when all packet header flags are set to 1

surf attack

attacker sends echo requests to broadcast addresses of 3rd party servers using a forged source address

Domain hijacking

attacks attempts to steal a legitimate domain

user education

best way to protect viruses

keeping systems updated OS and patches

best way to protect worms

Polymorphism viruses

changing their own code to avoid signature detection ,using encryption with a different key on each infected system

Threat intelligence

consists of the set of activities that an organization undertakes to educate itself about changes in the cybersecurity threat landscape, and adapt security controls based upon that information

DNS poisoning attacks

disrupts the normal operation of DNS by providing false results

Open-source intelligence

gathering information from freely available public sources

they use indirect command and controls such as: - internet relay chats - twitter accounts - peer to peer within the botnet

how do hackers that manage botnets hide their true locations

* Hardcoded accounts * Default passwords * Unknown access channels

how does backdoor occur?

implement blocking technology on the network that identifies and weeds out suspected attack traffic before it reaches servers

how to defend against DoS

- regular patching - firewalls - end-point security software - intrusion preventions system

how to easily defeat script kiddies

application control solutions

how to protect against trojan horses

* routinely change default password * disable unused accounts * monitor security bulletins for news of logic bombs and backdoors for applications your organization uses

how to protect from backdoors and logic bombs

- encryption, - secure network configuration - strong authentication mechanisms

how to protect from eavesdropping attacks

signature detection

identifying viruses by detecting known code patterns from a database

Armored viruses

implement techniques designed to defeat reverse engineering, use techniques to hide themselves from virus detection mechanisms

logic bombs

is malware that is set to execute a payload when certain conditions are met, works by modifying existing code

Adware

malware that has a specific purpose of displaying advertisements

Botnets

network of infected machines used for malicious purposes

Ping command

network request that send a packet known as an echo request to a system, the one that receives an echo request then sends an echo reply

backdoors

occurs when a programer provides a means to grant themselves or other future access to a system

- to steal their computing power - storage - network connectivity

one of the most common reasons hackers take over systems

user mode rootkits

rootkits that run with normal user privileges and are easy to write and difficult to detect

Kernel Mode Rootkits

run with system privileges and are difficult to write and easy to detect

Hacktivists

seek to use hacking tools to advance political or social agenda

Organized crime groups

seeks to use hacking tools, such as ransomware. for financial gain

ARP Poisoning

spoofing technique that provides false information in responser to ARP requests - only works on a local network

Amplified DDoS Attack:

the attacker can then send very small requests over his or her network connection that generates very large replies over the third party's network connection

Amplification factor

the degree to which the attack increases in size

payload

the malicious action that the malware performs

1. Anti-malware software 2. security patches 3. educating end users

top ways of preventing malware

address resolution protocol

translates IP addresses to the hardware (mac) addresses used on local area networks

rootkits

used to describe software techniques that are designed to hide other software on a system for malicious reasons

replay attacks

uses previously captured data such as encrypted authentication token to create a separate connection to the server that is authenticated but does not involve the real end user

encryption

what prevents eavesdropping attacks