CHAPTER 3 – THREATS AND VULNERABILITIES
3.1 EXPLAIN TYPES OF MALWARE.
Adware Adware is short for advertising‐supported software. It automatically renders advertisements by collecting user information. It is a form of spyware.
Virus Computer virus is a term used for a program which can infect other executable software. Newer viruses can even affect Office macro files.
Spyware Spyware programs are usually bundled as a hidden component of freeware that has been made downloadable on the Internet.
Trojan With a Trojan, legitimate software is corrupted by malicious code that runs when the program is used. It is the user that invokes the program and triggers the malicious code.
Rootkits Rootkits are recompiled Unix tools that can hide traces of the intruder. Its only purpose is to hide evidence from system administrators so there is no way to detect malicious attempts.
Backdoors Backdoors are undocumented means of getting into a system. They are mostly for programming and maintenance/troubleshooting needs.
Logic bomb Logic bomb = slag code. It is inserted into the normal program code and explodes under specific circumstances. It is a form of delayed‐execution virus. Some logic bombs are used by legitimate software vendors as a timer to prevent usage after the trial period.
Botnets Botnets are zombie armies formed by a number of innocent hosts set up to perform malicious operations. A bot is malware that allows a botmaster to control the victimized computer. Many botnets were controlled via Internet Relay Chat.
Ransomware Ransomware is malware which locks up a victimized system and demands a ransom in order to release the lock.
Polymorphic malware Polymorphic malware is a form of malware that can constantly change while retaining the same harmful function.
Armored virus Armored viruses have built‐in mechanisms which makes detection difficult. They can fool anti‐virus solutions into believing that they are not viruses.
3.2 SUMMARIZE VARIOUS TYPES OF ATTACKS.
Man‐in‐the‐middle The man‐in‐the‐middle attack (MITM) is a form of active eavesdropping. It often involves actively relaying messages between the parties of a connection.
DDoS Distributed denial of service (DDoS) involves deploying a large number of compromised hosts to flood a target system with requests so to render it unusable.
DoS Denial of service (DoS) attacks are not for gaining unauthorized access or control of a system. They are for making a system unusable through exhausting its resources.
Replay With a replay attack, a valid data transmission is maliciously repeated or delayed. The stream of messages being captured is replayed to produce duplicated messages.
Smurf attack Smurf attack is a type of DoS attack. It exploits the broadcast address to create a denial of service, mostly via the use of ICMP.
Spoofing Spoofing involves impersonating another device or user for launching an attack. A popular way to achieve this is through creating IP packets using someone else's IP address.
Spam Spamming refers to the use of emails (or other messaging systems) to send unsolicited bulk messages. Ratware is used to achieve this.
Phishing Phishing mainly applies to email that appears to be sent from a legitimate business which tries to verify information. Many modern email filter services can detect this kind of email.
Spim Spim is spam delivered through instant messaging.
Vishing Vishing is simply the phone equivalence of phishing.
Spear phishing As a variation of phishing, spear phishing is also an email spoofing fraud attempt. However, it mostly targets a specific organization. It is usually not a random attack attempt. Trade secrets or highly confidential military information are usually involved.
Xmas attack Xmas attack involves the use of a so called Christmas tree packet, which has every single option set for whatever protocol is currently being use. Another name for this packet is kamikaze packet. A large number of such packets can be used to carry out DoS attack.
Pharming Pharming is all about redirecting a website's traffic to a totally bogus site. This is usually done through editing the hosts file of the victim's computer or by exploiting the DNS server.
Privilege escalation Privilege escalation aims to exploit a bug or flaw on the target in order to gain elevated access to resources that are otherwise protected.
Malicious insider threat A malicious insider threat comes from a hacker (aka cracker or black hat) who is a disgruntled employee, former employee, business partner or contractor of an organization.
DNS poisoning and ARP poisoning DNS poisoning = DNS spoofing. A hacker tries to insert a fake record into the DNS system. The cache is poisoned when the fake record is put in place. ARP poisoning is the ARP equivalent of DNS poisoning.
Transitive access When A trusts B and B trusts C, A may effectively trust C without knowing it. Therefore it is important to carefully configure trust relationships in your networks.
Client‐side attacks Client‐side attacks are attacks related to transitive access. They exploit the trust relationship between the users and the websites visited. XSS and content spoofing are examples of this type of attack.
Password attacks (Brute force, Dictionary attacks, Hybrid, Birthday attacks, Rainbow tables) Passwords serve as the entry point to information system resources. Password management is therefore an important topic. Types of password attack include Brute force, Dictionary attacks, Hybrid, Birthday attacks, and Rainbow tables. A rainbow table is a precomputed table of reversing cryptographic hash functions. A birthday attack is a brute‐force cryptographic attack exploiting the mathematical model behind the essential probability theory.
Typo squatting/URL hijacking Typo squatting and URL hijacking mean the same thing. They are cybersquatting that works by relying on user typographical error when entering web addresses.
Watering hole attack With a watering hole attack a specific website is compromised by having an exploit inserted, thus resulting in malware infection. The victim is specifically targeted, not randomly picked.
3.3 SUMMARIZE SOCIAL ENGINEERING ATTACKS AND THE ASSOCIATED EFFECTIVENESS WITH EACH ATTACK.
Shoulder surfing Shoulder surfing involves using direct observation techniques such as looking over someone's shoulder to steal information. It is a form of social engineering.
Dumpster diving Dumpster diving means searching through the trash for information such as access codes, written passwords, phone list, memo, etc.
Tailgating As previously said, tailgating is the act of an unauthorized individual who follows someone to a restricted area without consent.
Impersonation Technically, impersonation describes the ability of a thread to run in a security context different from the context of the parent process which owns the thread. Many programming languages have impersonation levels defined which makes it possible to specify the operations a server may perform in the context of the client.
Hoaxes A hoax refers to an act, a document, or anything (that contains non‐factual claims) published to get widespread with an attempt to deceive or even defraud the public. Hoax warnings are false virus alerts that can easily get forwarded by innocent users.
Whaling Whaling can be thought of as a highly targeted form of phishing (spear phishing) which involves the use of personalized phishing techniques against high profile end users.
Vishing As previously said, vishing is simply the phone equivalent of phishing. Principles (reasons for effectiveness) (Authority, Intimidation, Consensus/Social proof, Scarcity, Urgency, Familiarity/liking, Trust) All social engineering techniques are said to be based on flaws in human logic being referred to as cognitive biases. These bias flaws may be used in various combinations. There are different factors that contribute to the effectiveness of social engineering techniques. These factors include Authority, Intimidation, Consensus, Social proof, Scarcity, Urgency, Familiarity, and Trust.
3.4 EXPLAIN TYPES OF WIRELESS ATTACKS.
Rogue access points Rogue access points are Wi‐Fi access points installed on and running in the network without authorization. They can allow anyone equipped with a wireless device to access mission‐critical network resources.
Jamming/Interference Wireless technologies for LANs are based on RF field propagation. They are subject to jamming or interference. Potential sources of RF interference include microwave ovens, wireless phones, Bluetooth enabled devices or other wireless LANs.
Evil twin Evil twin involves having a rogue access point that appears to be an authorized one. It is often referred to as the wireless version of the phishing attack.
War driving War driving involves searching for Wi‐Fi wireless networks by driving around with a portable computer or a hand held device.
Bluejacking Bluejacking involves sending unsolicited message via Bluetooth.
Bluesnarfing Bluesnarfing refers to unauthorized access of private information from a wireless device using Bluetooth connection.
Warchalking Warchalking involves drawing symbols in public places for advertising an open wireless network. It allows people to take advantage of excess bandwidth or free Internet access.
IV attack IV attacks (IV shorts for initialization vector) are performed through modifying the initialization vector of an encrypted packet during transmission. This type of attack poses security risk of the CBC encryption mode of block ciphers when an unauthenticated IV is being used. This risk can be applied to the IPsec protocol.
Packet sniffing It is technically possible to detect rogues by using wireless sniffing tools to capture information regarding access points within range. In other words, packet sniffing can be helpful in detecting rogues.
Near field communication Near Field Communication (NFC) is a family of short range wireless technologies that works within a distance of 4cm max.
Replay attacks As previously said, replay attacks take place when valid data transmissions are maliciously repeated or delayed.
WEP/WPA attacks There are attacks that target WEP and WPA. WEP uses cyclic redundancy check (CRC), which is less secure in terms of payload integrity. WEP attacks can easily break in since Standard 64‐bit WEP uses only 40 bit key. WPA is an intermediate solution designed for wireless hardware that cannot provide support for WPA2. WPA is stronger than WEP but it is still subject to WPA attacks.
WPS attacks WPS has a flaw which allows a remote attacker to recover the PIN via a brute force attack. The problem is that many wireless devices do not offer any lock out policy for such brute force attempts.
3.5 EXPLAIN TYPES OF APPLICATION ATTACKS.
Cross‐site scripting Cross‐site scripting (XSS) allows a hacker to insert client side scripts into web pages viewed by others so as to bypass the access controls currently in place. These vulnerabilities have been reported since the ‘90s.
SQL injection SQL injection is an attack that involves injecting a SQL query through the input data from the client utility to the server side database application so to manipulate sensitive data.
LDAP injection LDAP Injection is an attack that involves injecting unwanted LDAP commands into web applications (those that work by constructing LDAP statements based on user inputs).
XML injection XML injection is injecting unintended XML content with the goal of confusing the XML parser.
Directory traversal/command injection Directory traversal attack = path traversal attack. It uses special characters in the input file names to represent "traversing to parent directory". When the maliciously named files are being passed to the file APIs, unwanted access to files in other paths can become possible. Command injection attacks involve injecting malicious commands into the vulnerable application when the application fails to perform proper input validation.
Buffer overflow Buffer overflow is due to programming error. Memory access exception means a process attempts to store data beyond the fixed boundaries of a buffer area.
Integer overflow Integer overflow is also due to programming error. An arithmetic operation is carelessly allowed to produce a numeric value that is too large to be represented and processed.
Zero‐day As said before, zero‐day exploit is exploiting a previously unknown vulnerability when the developer has had no time to address it.
Cookies and attachments A cookie is an ascii file placed on the client side, making many attacks possible. For example, cookie poisoning can modify the cookie contents to bypass security. Mail message attachments can produce buffer overflows when the mail application fails to perform bounds checking on attachments sent by users.
Malicious add‐ons Many web browser add‐ons are legitimate, but malicious add‐ons do exist that can cause browser problems. Different browsers have different ways to disable these add‐ons. Keep in mind, add‐ons are just plug‐in features and can be safely disabled or removed.
Session hijacking Session hijacking = cookie hijacking (cookies can be easily stolen). This involves exploiting a valid computer session by capturing the session key to gain unauthorized access to confidential information.
Header manipulation With header manipulation, data enters a web application via an untrusted source through HTTP requests or HTTP response header. With a poisoned HTTP header, attacks like cache‐poisoning, cross‐ site scripting, and others can be easily conducted.
Arbitrary code execution / remote code execution Arbitrary code execution means a hacker can execute commands on a target system. Sometimes it may be done via malware. Remote code execution takes advantage of a system's security vulnerabilities which allow hackers to run code from a remote server.
3.6 ANALYZE A SCENARIO AND SELECT THE APPROPRIATE TYPE OF MITIGATION AND DETERRENT TECHNIQUES.
Monitoring system logs (Event logs, Audit logs, Security logs, Access logs) Event Viewer is the GUI interface for managing event logging in Windows. The primary types of logs are System, Application and Security. Syslog is the logging facility provided by Linux and Unix. The logs may be classified into Event, Audit, Security, and Access types.
Hardening (Disabling unnecessary services, Protecting management interfaces and applications, Password protection, Disabling unnecessary accounts) Hardening a host incorporates a number of ways that attempt to minimize or eliminate vulnerabilities. Measures may include disabling unnecessary services, protecting management interfaces and applications, implementing password protection, and disabling unnecessary accounts.
Network security (MAC limiting and filtering, 802.1x, Disabling unused interfaces and unused application service ports, Rogue machine detection) To maintain and ensure network security in a wireless network, there are a number of ways that attempt to minimize or eliminate vulnerabilities. Measures may include MAC limiting and filtering, implementing 802.1x security features, disabling unused interfaces and unused application service ports, and implementing rogue machine detection.
Security posture (Initial baseline configuration, Continuous security monitoring, Remediation) Security posture is the overall security approach taken from planning to actual implementation. It covers both technical and non‐technical policies as well as procedures and controls. There are Security Posture Assessment services which aid in obtaining a clearer picture of the current security posture and the relevant vulnerability and loopholes. In any case, the important elements of initial baseline configuration, continuous security monitoring and remediation must be thoroughly accommodated.
Reporting (Alarms, Alerts, Trends) After alarms or alerts are triggered, reporting must follow. Based on information collected over a period of time, trends can be identified and periodically reported to allow improvements to be made.
Detection controls vs. prevention controls (IDS vs. IPS, Camera vs. guard) Both IDS and cameras are detection controls since they can detect but not stop intrusion. IPS and guards are prevention controls since they are capable of discouraging and stopping the intrusion actions.
3.7 GIVEN A SCENARIO, USE APPROPRIATE TOOLS AND TECHNIQUES TO DISCOVER SECURITY THREATS AND VULNERABILITIES.
Interpret results of security assessment tools The results produced by the various security assessment tools should be interpreted. Assessment results are necessary for supporting the determination of security controls. Those tools usually come with interfaces which allow results to be reviewed in different ways; both graphical and textual.
Tools (Protocol analyzer, Vulnerability scanner, Honeynets, Port scanner, Passive vs. active tools, Banner grabbing) Different network scenarios require the use of specific tools. These tools include protocol analyzer, vulnerability scanner, honeynets, port scanner and banner grabbing tools. Some of them are active tools while some are passive tools. Judgments of tool applicability should be made on a case by case basis.
Risk calculations (Threat vs. likelihood) When calculating risk, remember that a threat is an undesired event that is a potential occurrence, while likelihood is the chance of such occurrence.
Assessment types (Risk, Threat, Vulnerability) Risk assessment represents the assignment of value to assets, threat frequency on annualized basis, consequence and exposure factors, and other elements of chance. Different assessment types calculate specific things. Risk, threat, and vulnerability should be assessed differently even though these concepts are strongly related in a real world context.
Assessment technique (Baseline reporting, Code review, Determine attack surface, Review architecture, Review designs) Different assessment techniques exist. Some of the more popular ones are baseline reporting, code review, attack surface review, architecture review, and designs review. Specific tools are available for different assessment methods. For example, MS has a Baseline Security Analyzer MBSA useful for baseline reporting. TCS also has an Attack Surface Analyzer which can analyze changes made to the attack surface of an OS.
3.8 EXPLAIN THE PROPER USE OF PENETRATION TESTING VERSUS VULNERABILITY SCANNING.
Penetration testing Penetration testing involves launching an attack on a computer system with the goal of identifying security weaknesses. The steps involved include:
Verifying the existence of a threat
Bypassing the security controls
Actively testing the security controls
Exploiting the vulnerabilities
Vulnerability scanning (Passively testing security controls, Identify vulnerability, Identify lack of security controls, Identify common misconfigurations, Intrusive vs. non‐intrusive, Credentialed vs. non‐credentialed, False positive) Vulnerability scanning refers to the automated process of identifying network security vulnerabilities in a proactive manner. There are a number of objectives associated with this process. They include:
Passively testing the security controls Identifying the vulnerabilities Identifying what security controls are lacking Identifying the common misconfigurations
Some scanning attempts are intrusive while some are non‐intrusive. Some may be credentialed while some may be non‐credentialed. False positives are a possibility with vulnerability scanning
Black box Black Box Testing is the act of performing testing without knowing the interior workings of the subject application. Essentially, the tester does not know the source code of the target application.
White box As the exact opposite of Black Box Testing, White box testing involves investigating the internal logic and structure of the known source code.
Gray box Gray Box testing is between Black Box testing and White Box testing. In this type, limited knowledge of the internal workings of the application is available.