Threats, Attacks, and Vulnerabilities

Ace your homework & exams now with Quizwiz!

Intrusive vs Non-intrusive (vulnerability scanning)

-Most scanners allow ability to choose between intrusive and non-intrusive or dangerous and safe modes -Scans running in non-intrusive or safe mode will not perform tests that could disrupt system operation -does not provide accurate picture of security because it fails to show you if attacks would be successful -can balance this by running tests against production systems in safe mode but then clone those systems running in dangerous mode scans against the images -penetration testing:intrusive vs vulnerability testing:non-intrusive

Passively Testing Security Controls (vulnerability scanning)

-important to remember scanner passively identifies weaknesses and does not perform exploitation

Identifying Vulnerabilities and Misconfigurations

-vulnerability scanners utilize a database or dictionary of known vulnerabilities and test systems against the database -detect misconfigurations: open ports, weak passwords, default accounts and passwords, sensitive data, and security and configuration errors

Social Engineering Principles [reasons for effectiveness]

Authority: people have grown up to respect authority and are more likely to comply when a person of authority says to do so -ex: impersonation, whaling, vishing Intimidation: may be through bullying tactics, and Consensus: ex fake testimonials for a product on a malicious site Scarcity Urgency Familiarity: shoulder surfing, tailgating Trust **Many of the reasons that social engineers are effective are because they use psychology-based techniques to overcome users; objections. Scarcity and urgency are two techniques that encourage immediate action.**

Open-source intelligence

a method of gathering data using public sources, such as social media sites and news outlets

Initial Exploitation

after scanning the target, testers discover vulnerabilities. They then take it a step further and look for a vulnerability that they can exploit

Injection attack

an attack that injects code or commands

Address Resolution Protocol (ARP) poisoning

an attack that misleads computers or switches about the actual MAC address of a system -can help launch MiTM or DoS

Disassociation attacks

attack that removes wireless clients from wireless network

Jamming attack

attacker brings powerful transmitter into vicinity of wireless network and broadcasts strong signal that overpowers legitimate wireless access points

Man-in-the-Browser (MiTB)

attacker compromises user's web browser or browser plug-in to gain access to web communications -type of proxy Trojan horse

Typo squatting aka URL hijacking

attacker creates URL similar to real site and copies look of legitimate website to trick users into entering login credentials which are then sent to the attacker. The attack that depends upon people making simple typing mistakes -various reasons for initiating include: hosting a malicious web site, earning revenue, and reselling the domain

Pass the hash

attacker discovers the hash of the user's password and then uses it to log on to the system as the user -any authentication protocol that communicates over the network in an unencrypted format is susceptible to this attack -recommended to use NTLMv2 or Kerberos

Cross-site scripting (XSS)

attacker embeds malicious code in a 3rd party website that then runs within the web browser of other visitors to that site. This happens when the website allows users to enter input that is displayed to other users -mitigate with input validation at the server and use of security encoding library

Dumpster diving

attacker goes through physical trash in search of sensitive documents -should shred or burn papers instead of throwing them away

White box test

attacker has full knowledge of network environment

Black box test

attacker has no prior knowledge of enterprise IT environment and seeks to gain that knowledge as they move through attack and discovery phases

Gray box test

attacker has some knowledge of system

Birthday attack

attacker is able to create a password that produces the same hash as the user's actual password -aka collision -thwarted by increasing the number of bits used in the hash to increase the number of possible hashes

Shoulder surfing

attacker looks over shoulder of victim as they do something sensitive on their computer -can also be remotely using a camera -can be mitigated by using screen filters

Impersonation

attacker pretends to be another person with the goal to convince an authorized user to provide some information, or help the attacker defeat a security control -mitigated through identity verification methods

Man-in-the-Middle (MiTM)

attacker tricks the sending system during initial communication causing the user to connect directly to the attacker. The attacker connects to the legitimate server and the user authenticates to the fake server from the attacker which lets the attacker view all communications between the client and server. The user is unaware of this intercept.

Downgrade attacks

attacker uses MitM exploit to force 2 other systems that communicate to each other to switch to a weak implementation of a cryptographic algorithm that the attacker can eavesdrop on and then crack

Near Field Communication (NFC) attack

attacker uses ____ reader to capture data from another ____ device

Known-plaintext attack

attacker uses knowledge of encrypted and unencrypted versions of a message to try and crack the decryption key for other messages

Clickjacking

attacker uses specialized HTML content to hide elements of a webpage behind other page elements

Domain hijacking

attackers attempt to steal legitimate domain or change domain name without permission of the legitimate owner

Command injection attack

attackers can inject OS commands into an application using web page forms or text boxes -any web page that accepts input from users is at risk -ex: Directory traversal attack

Brute force attack

attackers guess all possible password combinations. Only effective against short non-complex passwords -mitigate by implementing account lockout policies and using PBKDF2 -Online attacks- guess the password of an online system -Offline attacks- guess the password stored within a file, such as a database

Persistence

attackers often use various threats that allow them to stay within a network for weeks, months, or years without being detected -Common technique is creating backdoors

Keylogger

attempts to capture a user's keystrokes -keystrokes are stored in a file and are either sent to an attacker automatically or the attacker may manually retrieve the file -typically software but can also be hardware

Sniffing or Eavesdropping

because RFID transmits data over the air, it's possible for an attacker to collect data by listening. A key requirement is to know the frequency used by the RFID system and have a receiver that can be tuned to that frequency. Attacker also need to know the protocols used by the RFID system to interpret the data Replay- successful eavesdropping attacks allow the attacker to perform a replay attack DoS- if an attacker knows the frequency used by the RFID system, it's possible to launch a jamming or interference attack, flooding the frequency with noise

Ransomware

blocks a user's legitimate use of a computer or data until a ransom is paid

Improper error handling

can often give attackers information about an application -when an application doesn't catch an error, it often provides debugging information that attackers can use against the application -in the worst-case scenario, they can cause the OS to crash

Denial of Service (DoS)

category of attack that disrupts the normal use of computing resources; makes a system or resource unavailable to legitimate users. An attacker sends thousands to millions of requests to a server, overwhelming it, making it unable to answer legitimate user requests

Media Access Control (MAC) spoofing

change the name of the MAC through administrative access

Internet Protocol (IP) spoofing

change the system's IP address through administrative access

Botnets

collection of "zombie" computers used for malicious purposes

Passive reconnaissance

collects information about a targeted system, network, or organization using open-source intelligence

Embedded system (smart devices)

components of the Internet of Things (IoT) stacked into larger systems -contain a wealth of information that may be valuable in a forensic investigation -ex: GPS units, security monitoring system, thermostats, lights, Alexa, Google Home -in many cases, they connect to a cloud service that provides data storage and added functionality

Weak implementations

cryptographic algorithms with design flaws or small keys -ex: WEP (design flaw), DES (56-bit keys)

Domain Name Service (DNS) poisoning

disrupt normal operation of DNS by providing false results, DNS cache is modified with bogus IP address

Penetration testing

executing an attack on a system to best understand its vulnerabilities. The goal of this is to test security controls by attempting to bypass or defeat them. It is considered successful if "attackers" infiltrate target system. It alternates between the attack and discovery phases: Attack- seek to gain access to target system, escalate access to advanced privileges, and then browse through network looking for new systems they can access from that vantage point Discovery- conduct reconnaissance and think of possible exploitable avenues -starts with passive reconnaissance then tries to exploit vulnerabilities by simulating or performing an attack

Tailgating

follow someone into secure area without swiping badge to gain access because they don't have one -mitigated through mantrap- turnstile

Misconfiguration/Weak configuration (secure systems)

follow the below steps to mitigate these: implement hardening practices to help eliminate vulnerabilities from default configurations, misconfigurations, and weak configurations -implement least functionality -uninstall unneeded software and disable unnecessary accounts -avoid backdoors -change default account and password names

Bluesnarfing

force pairing between victim device and attacker's and use pairing to pull down contacts and other information from device **Ensure Bluetooth devices cannot be paired without manual user intervention to prevent Bluetooth attacks.**

Evil twin attack

hacker sets up fake access point with the SSID of a legitimate network to lure unsuspecting users who will automatically connect to it when they are in the fake access point's vicinity

Nation-state

highly skilled and well-funded individuals sponsored by a country government

Insider threat

individual within the organization who likely has administrative or executive privileges who is triggered to attack internal organization due to stressful event (mental, disciplinary, or disgruntled)

Hacktivist

individuals seeking to use their hacking skills to advance a political or social agenda

Script kiddies

lone individuals who hack to see if they can break into systems

Shim

malicious driver. User receives request from operating system and passes user onto legitimate driver so device functions normally. Driver can also carry malicious payload in background

Trojan horse

malware disguises as legitimate software which when run by a user also has a hidden malicious payload that performs unwanted action behind the scenes

Spyware

malware that gathers information without the user's consent or knowledge

Adware

malware that has specific purpose of displaying advertisements to generate revenue for the malware author

Logic bomb

malware that's set to execute a payload when certain conditions are met

Hoax

message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn't exist -can be convinced to perform an action that results in loss of data or capabilities

Competitors

motivation is to gain proprietary information about another company -various methods including open source research, illegal activity, dumpster diving, and hiring employees to provide information about their previous employer

Vulnerability scanners

obtain details of services using ports and check ports for known vulnerabilities. This has a database of all known vulnerability exploits and test the server to see if it contains vulnerabilities -identify which systems are susceptible to attacks

Backdoor

occurs when a programmer provides a means to grant themselves or others future access to a system

Race condition

occurs when proper functioning of a security control depends upon timing of activities performed by the computer or user -when two or more modules of an application, or two or more applications, attempt to access a resource at the same time -most developers include methods to avoid them when writing code -online tickets sites can lock the selection before offering it to a customer or double-check for conflict later in the process -most database applications have internal concurrency control processes to prevent two entities from modifying a value at the same time

Collision

occurs when the hashing algorithm creates the same hash from different passwords

Improper input handling (or the lack of input validation)

one of the most common security issues on web-based applications -It allows many different types of attacks, such as buffer overflow, SQL injection, command injection, and XSS

Dictionary attack

operate under assumption people use words as passwords and try all words in the English language first -mitigate by using complex passwords

Spear phishing

phishing attacks personalized to a specific person, group, or organization -digital signatures reduce success of this

Rainbow table attack

pre-computing common password hashes and saving a computational step during attack -salt passwords or implement PBKDF2 to mitigate

Refactoring

process of rewriting the internal processing of the code, without changing its external behavior -usually done to correct problems related to software design

Pivot

process of using an exploited system to target other systems

Initialization vector (IV)

provides a starting value for a cryptographic algorithm; it is a fixed-size random or pseudo-random number that helps create random encryption keys -ideally, it should be large enough so algorithm doesn't reuse same number and re-create same encryption keys -used in encryption ciphers, WEP, and older SSL implementations

Crypto-malware

ransomware that encrypts all data on computer except the OS and holds it for ransom -uses public-key cryptography - no way to decrypt data without obtaining key from the attackers -make sure to keep OS and systems up to date; update antivirus signatures; and keep backups offline

Non-credentialed scan

scan without using user credentials -attackers typically run this - will try to obtain credentials and if successful would run a credentialed scan -administrators will run these scans to view what an attacker would see

Identifying Lack of Security Controls (vulnerability scanning)

scanners can identify missing security controls such as up-to-date patches or lack of antivirus software

Bots

software robots

Rootkits

software techniques designed to hide other software on a system -have system-level or kernel access and can modify system files and system access -use hooking techniques to hide detection -tools that inspect RAM can uncover hidden processes

Remote access Trojan (RAT)

specific type of Trojan horse which provides hackers the ability to remotely access and control infected systems

Virus

spreads from system to system based upon some type of user action

Worm

spreads from system to system without user action

Session hijacking

stealing or predicting valid user credentials to gain unauthorized access to web server -takes advantage of session IDs stored in cookies

Privilege Escalation

the process of gaining elevated rights and permissions

Wi-Fi Protected Setup (WPS) attack

tool that tries different PINs until it's successful. Once the PIN is known, it can then discover the passphrase in WPA and WPA2 wireless networks

Phishing

trick users into revealing passwords to sensitive accounts

Cross-site request forgery (CSRF/XSRF)

tricks users into performing actions on websites, such as making purchases, without their knowledge -mitigate through dual authentication, force users to manually enter credentials prior to performing certain actions, expire cookie after short period of time, and use of tokens

Amplification attack

type of DDoS attack that significantly increases the amount of traffic sent to, or requested from, a victim -can be used against a wide variety of systems, including individual hosts, DNS servers, and NTP servers

Whaling

type of spear phishing focused exclusively to senior executives in an organization

Distributed Denial of Service (DDoS)

use of botnets to overwhelm target

Watering hole attack

use of sneaky techniques to lure unsuspecting users and infect their systems with malware

Structured Query Language (SQL) injection

use of web applications as a mechanism to illegitimately access database servers that support web applications and retrieve sensitive information or make unauthorized modifications to the database -many attackers use the phrase ' or'1'='1' - to trick the database server into providing information -mitigated through proper error handling, input validation, use of stored procedures with dynamic web pages

Organized crime group

use technical skills for monetary gain via ransomware and extortion attacks. Can also be motivated by corporate espionage.

Shimming

uses additional code to modify the behavior of a driver

Replay attack

uses previously captured data to create a separate connection to the server that is authenticated, but does not involve the real end user. The attacker only has encoded version of credentials -WPA using TKIP is vulnerable, newer encryption methods are not

Active reconnaissance

using tools to send data to systems and analyzing the responses -After scanning a target and uncovering vulnerabilities, the testers look for a vulnerability that can be exploited

End-of-life

vendor no longer supports product at all and will not release any updates -ensure no valuable data is on them before disposal

Lack of vendor support

vendors sometimes fail to provide adequate support for their products (understaffed or not committed) -when a vendor stops supporting a product, any new vulnerabilities will not be patched

Vishing

voice phishing attacks. Hackers call unsuspecting people using social engineering tactics to trick them into revealing sensitive information

Credentialed scans

vulnerability scan that has full details of system configurations -scan using account information -scan is often run with administrator privileges to check security issues at a deeper level -results are more accurate because scan has easier access to internal workings of system

Zero-day vulnerability

weakness or bug that is unknown to trusted sources, such as OS and antivirus vendors -exploits an undocumented vulnerability -until vendor releases a patch, it remains this -in most cases, these are new threats

Bluejacking

when attackers use bluetooth technology to send spam messages directly to a device. Attackers goal is to convince user to visit website or perform action that will lead to a more advanced attack **Ensure Bluetooth devices cannot be paired without manual user intervention to prevent Bluetooth attacks.**

False positive error

when scanner detects vulnerability that doesn't actually exist

Rogue access point (rogue AP)

when someone connects to an unauthorized wireless access point to an enterprise network -placed within a network without official authorization -acts as a sniffer to capture traffic passing through the wired network device and then broadcasts the traffic using the wireless capability of it -attacker can capture exfiltrated data -can use it to also connect into the wired network -if discovered, immediately unplug Ethernet cable to stop it from capturing network traffic

Buffer overflow

when user input exceeds space within buffer, user content can overflow from area reserved for input into an area for other purposes and unexpected results may occur -often include no operation (NOP) instructions (such as x90) followed by malicious code -input validation helps to prevent this type of attack


Related study sets

Chapter 13: Capital Budgeting Decisions

View Set

Super Minds 1 Free time activities

View Set

Apologia Physical Science Module 11

View Set

Human Biology Chapter 20 (Cancer)

View Set